Spring Boot Security using http instead of https when forwarding to login page
I am using Spring Boot Security with a custom AuthenticationProvider to secure a Java Spring Boot application. Attempts to access the application via a browser are directed to a custom login page. The body of my security config class is pasted below:-
@EnableWebSecurity
@Configuration
public class SecurityConfiguration {
@Bean
public AuthenticationProvider authenticationProvider() {
return new DocumentumAuthenticationProvider();
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/content/login")
.permitAll()
.and()
.logout()
.logoutUrl("/content/logout")
.logoutSuccessUrl("/content/logout")
.permitAll();
return http.build();
}
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().antMatchers("/retrieve/**", "/upload/**", "/content/css/**", "/content/scripts/**", "/content/images/**", "/content/images/**");
}
@Bean
public BCryptPasswordEncoder encodePWD() {
return new BCryptPasswordEncoder();
}
}
This all works fine when I run my services locally within my IDE. For the next step, I containerised my application and deployed it to an AWS EC2 server. I have configured a custom HTTPS port for the app and have added a corresponding listener to the Application Load Balancer.
The issue is that when a user attempts to access the app in a browser over https, Spring Security is forwarding the user to a login page using http instead of https as the protocol e.g. user enters the following address in the browser: -
https://my-app:22223/content/documents
..and is forwarded here..
http://my-app:22223/content/login
Because this is an https port, the user sees this error page:-
If the user manually changes the protocol to https in the browser address bar, it then works fine.
I would be very grateful if anyone would be able to advise me why Spring Boot Security is behaving this way and what steps I can take to force it to use https in the login URL. Many thanks for reading my post!
You should configure the Application Load Balancer (ALB) to terminate SSL (i.e. register certificate etc). If this is configured correctly, the ALB will automatically add a header (X-Forwarded-Proto) that tells Spring Security that it needs to use HTTPS for its redirects.
- Keep numbers which appear in both columns, in J lang
- Differentiation in J
- How to reshape an array with an arbitrary size in one dimension?
- Why is Insert (fold) right associative
- Write 4 : 'x&{.&.;: y' tacitly
- Alignment issue when printing formatted prime numbers in J language
- How can I define a verb in J that applies a different verb alternately to each atom in a list?
- How to get user input in the J programming language
- How to unbox a list of boxed lists of differing lengths in J?
- How can I fix 'noun result was required' error in J?
- In j, how can I define a verb locally in one scope and pass it to a defined adverb?
- Convert boxed array to normal array?
- Read column of CSV file as array
- Replace atom in array of strings
- What does the dyad `=` do to boxed strings?
- Index of minimum element using J
- How can I take the outer product of string vectors in J?
- Building an array of verbs in J
- Reading in multidigit command line parameter
- Amend with bond to new data shows unexpected behaviour
- How to turn a table or matrix into a (flat) list in J
- How to run dissect in J?
- How to define selection using index function in J
- How to exit the J console?
- Find 4-neighbors using J
- Writing custom verbs in J
- How do I negate a selector in J lang?
- How to use arbitrary selector in interchange in J lang?
- different result once square root is added inside tacit
- Sum of arrays with repeated indices