Tuesday, February 9, 2010

How to force HTTPS on the login page with Spring Authentication and a soy bean musing

The Easy Way

Just use the Spring Security Namespace. It makes security configuration so easy that it's not worth me writing anything further about it.

The Hard Way

Ok, so like me you are working in a huge enterprise or government department somewhere, and they think they can do security better than Spring.

For whatever reason, if you need to configure this stuff explicitly by wiring up your own beans, here's what you'll need to do:

You probably have something like this:

<bean id="security.local.AuthenticationEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
    <property name="loginFormUrl" value="/public/login.html"/>
    <property name="forceHttps" value="false"/>
</bean>


You need to change it to this:

<bean id="security.local.AuthenticationEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
   <property name="loginFormUrl" value="/public/login.html"/>
   <property name="forceHttps" value="true"/>
   <property name="serverSideRedirect" value="false"/>
   <property name="portMapper" ref="portMapperImpl"/>
   <property name="portResolver" ref="portResolverImpl"/>
</bean>


Then you need to define portMapperImpl and portResolverImpl like this:

<bean id="portResolverImpl" class="org.springframework.security.util.PortResolverImpl">
    <property name="portMapper" ref="portMapperImpl"/>
</bean>
 
<bean id="portMapperImpl" class="org.springframework.security.util.PortMapperImpl">
    <property name="portMappings">
        <map>
            <!--Mappings for all servers can be listed here - Spring just wants to know how which HTTPS port belongs to each HTTP port -->
            <entry key="8080" value="8443"/>
            <entry key="80" value="443"/>
            <!--SysTest-->
            <entry key="7001" value="7002"/>
            <!--Prod-->
            <entry key="8001" value="8002"/>
            <!--Sandpit-->
            <entry key="8051" value="8052"/>
        </map>
    </property>
</bean>


And then the configuration that forces the login page to be SSL:

<bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter">
    <property name="channelDecisionManager" ref="channelDecisionManager"/>
    <property name="filterInvocationDefinitionSource">
        <security:filter-invocation-definition-source path-type="ant">
            <!--You can configure further rules here about which pages should use SSL.-->
            <security:intercept-url pattern="/public/login.html" access="REQUIRES_SECURE_CHANNEL"/>
        </security:filter-invocation-definition-source>
    </property>
</bean>
 
<bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl">
    <property name="channelProcessors">
        <list>
            <ref bean="secureChannelProcessor"/>
            <ref bean="insecureChannelProcessor"/>
        </list>
    </property>
</bean>
 
<bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/>
<bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/>


I've just realized that tofu is over-rated. It's just a curd to me.
Posted by at 2:52 PM
Reactions: 

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)