Grails Spring Security 使用 https 重定向到登录页面 [英] Grails Spring Security redirect to login page using https
问题描述
我有一个使用 Spring Security Core 的 Grails 应用程序,它在负载均衡器后面的 AWS 机器上运行.
I have a Grails app using Spring Security Core running on an AWS machine behind a load balancer.
负载均衡器解密 ssl 连接并转发到我们实例的端口 8080,并添加适当的 X-Forwarded-Proto 标头.
The load balancer decrypts the ssl connections and forwards to port 8080 of our instance adding appropriate X-Forwarded-Proto headers.
我希望对安全页面的任何直接访问都使用 https 重定向到登录页面.
I would like any direct access to a secured page to redirect to the login page using https.
例如一个请求 https://myapp.com/private/page 应该重定向到 https://myapp.com/login/auth
For example a request https://myapp.com/private/page should redirect to https://myapp.com/login/auth
我把它放在我的 config.groovy 中:
I put this in my config.groovy:
grails.plugin.springsecurity.secureChannel.definition = [
'/login/**': 'REQUIRES_SECURE_CHANNEL'
]
但这会导致重定向循环(HTTP 代码 302)到 http 登录页面(http://myapp.com/login/auth)
but this causes a redirect loop (HTTP code 302) to the http login page (http://myapp.com/login/auth)
然后我尝试了:
grails.plugin.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true
grails.plugin.springsecurity.auth.forceHttps = true
但这会导致重定向(HTTP 代码 302)到 http 登录页面(http://myapp.com/login/auth一>)
but this causes a redirect (HTTP code 302) to the http login page (http://myapp.com/login/auth)
- 问题仅在于生产设置(部署到负载均衡器后面的 Tomcat 的战争).
- 如果我在本地开发机器上测试相同的 config.groovy,则重定向到 https://myapp.com/login/auth 发生得很好.
- 我尝试为 spring 安全性指定不同的 httpsPort,它再次在我的本地开发机器上工作,但在不断重定向到 http 的已部署应用程序中完全被忽略
没有运气潜伏在类似的帖子中,有什么想法吗?
No luck lurking at similar posts, any idea?
推荐答案
我还在 AWS 上使用 Spring Security Core 2.0-RC4 托管我的 Grails 应用程序,使用 https 和负载均衡器,感谢 spock99(上图)和 AWS 的 Ravi L,我成功了.
I also am hosting my Grails app with Spring Security Core 2.0-RC4 on AWS with https and a load balancer, and thanks to spock99 (above) and Ravi L of AWS, I got it working.
我在 config.groovy 中做了以下事情:
I did the following in config.groovy:
// Required because user auth uses absolute redirects
grails.serverURL = "http://example.com"
grails.plugin.springsecurity.secureChannel.definition = [
'/assets/**': 'ANY_CHANNEL',// make js, css, images available to logged out pages
'/**': 'REQUIRES_SECURE_CHANNEL',
]
// overriding values in DefaultSecurityConfig.groovy from the SpringSecurityCore 2.0-RC4
grails.plugin.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true
grails.plugin.springsecurity.portMapper.httpPort = 80
grails.plugin.springsecurity.portMapper.httpsPort = 443
注意:Spring Security Core 2.0-RC4 中不需要以下内容 - 它们已经在 DefaultSecurityConfig.groovy 中
NOTE: The following were not needed in Spring Security Core 2.0-RC4 - they are already in DefaultSecurityConfig.groovy
secureHeaderName = 'X-Forwarded-Proto'
secureHeaderValue = 'http'
insecureHeaderName = 'X-Forwarded-Proto'
insecureHeaderValue = 'https'
我得到错误的不健康"读数,因为点击/"会返回到/login/auth 的 302 重定向,所以我向 HomeController(我映射到/health")添加了一个 health() 方法,以便 AWS 命中:
I was getting false 'Unhealthy' readings because hitting '/' returns a 302 redirect to /login/auth, so I added a health() method to HomeController (which I mapped to '/health') for AWS to hit:
class HomeController {
@Secured('IS_AUTHENTICATED_FULLY')
def index() { }
@Secured('permitAll')
def health() { render '' }
}
对我来说,关键是在负载均衡器上运行多个实例时会话 cookie 没有得到正确处理(我直到将最小实例设置为 2 才发现这一点),因此为了让用户能够登录和保持登录状态,我在 AWS 上执行了以下操作:
Key for me was that session cookies were not being handled properly with multiple instance running on the Load Balancer (I did not discover this until setting the minimum instance to 2), so in order for users to be able to log in and stay logged in, I did the following on AWS:
1. At Services / Elastic Beanstalk / Configuration / Load Balancing
a. set Application health check URL: /health
b. left Session Stickiness: unchecked
2. At Services / EC2 / Load Balancers / Description / Port Configuration:
For both port 80 (HTTP) and 443 (HTTPS)
1. Edit and select 'Enable Application Generated Cookie Stickiness'
2. Cookie Name: JSESSIONID
这篇关于Grails Spring Security 使用 https 重定向到登录页面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
