HTTPS上的Spring登录在验证后重定向到HTTP
出于某种原因,我的Spring登录表单加载并发布到https,但随后对http页面执行302操作,从而导致错误。为什么不使用https,并使用https设置cookie POST/j\u spring\u security\u check HTTP/1.1HTTPS上的Spring登录在验证后重定向到HTTP,spring,spring-mvc,ssl,login,https,Spring,Spring Mvc,Ssl,Login,Https,出于某种原因,我的Spring登录表单加载并发布到https,但随后对http页面执行302操作,从而导致错误。为什么不使用https,并使用https设置cookie POST/j\u spring\u security\u check HTTP/1.1 HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=9F9847C75A448A14CF631DBBD2F0E6A1; Path=/; HttpOnly Lo
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9F9847C75A448A14CF631DBBD2F0E6A1; Path=/; HttpOnly
Location: http://example.com/
Content-Length: 0
Date: Fri, 24 Jan 2014 21:30:55 GMT
配置
<http pattern="/services/**" create-session="stateless" entry-point-ref="basicAuthAwareAuthenticationEntryPoint">
<http-basic/>
<intercept-url pattern="/services/**" access="ROLE_SERVICE" />
</http>
<http auto-config="true">
<intercept-url pattern="/index.*" access="ROLE_USER" />
<intercept-url pattern="/welcome.htm" access="ROLE_USER" />
<intercept-url pattern="/changePassword.htm" access="ROLE_USER" />
<intercept-url pattern="/admin/**" access="ROLE_USER" />
<intercept-url pattern="/notifications/**" access="ROLE_ANONYMOUS,ROLE_USER" />
<intercept-url pattern="/logging/**" access="ROLE_USER" />
<form-login login-page="/login.htm" default-target-url="/admin/viewInstitutions.htm"
authentication-failure-url="/loginfailed.htm" />
<logout logout-success-url="/logout.htm" />
</http>
requires channel=“https”
属性中,或者只需在身份验证入口点上设置forceHttps=true
我们在我的heroku配置上遇到了类似的问题,最后是heroku完成了HTTPS连接,并向应用服务器发送了一个HTTP连接 默认情况下,Spring Security中的失败和成功URL不包括服务器名称(即
successHandler.defaultTargetUrl='/'
或successHandler.ajaxSuccessUrl='/login/ajaxSuccess'
)
这意味着当处理程序确定要转发到的URL时(此处):
它将使用请求构建一个绝对URL,如下所示:
我通过将重定向URL定义为绝对URL来解决这个问题,对于Grails应用程序(但您可以轻松地将其转换为标准的Spring应用程序),如下所示:
staging {
grails.serverURL = "https://staging.myapp.com"
grails.plugin.springsecurity.successHandler.defaultTargetUrl = "${grails.serverURL}/"
grails.plugin.springsecurity.successHandler.ajaxSuccessUrl = "${grails.serverURL}/login/ajaxSuccess"
grails.plugin.springsecurity.failureHandler.defaultFailureUrl = "${grails.serverURL}/login/authfail?login_error=1"
grails.plugin.springsecurity.failureHandler.ajaxAuthFailUrl = "${grails.serverURL}/login/authfail?ajax=true"
...
}
你找到解决办法了吗?我有类似的问题,它重定向回http。我在这里尝试了第二个答案,但似乎对我的情况没有帮助,并且不确定在哪里放置requires channel=“https”属性。