Grails Spring Security使用https重定向到登录页面 [英] Grails Spring Security redirect to login page using https

问题描述

负载平衡器解密ssl连接并转发到8080的端口。

我有一个Grails应用程序，使用运行在负载均衡器后面的AWS机器上的Spring Security Core。我们的实例添加了适当的X-Forwarded-Proto头文件。

我希望直接访问安全页面以使用https重定向到登录页面。 b
$ b

例如，请求 https://myapp.com/private/page 应该重定向到 https://myapp.com/login/auth

我把这在我的config.groovy中：

  grails.plugin.springsecurity.secureChannel.definition = [
'/ login / **'：'REQUIRES_SECURE_CHANNEL'
] 
  

但这会导致重定向循环（HTTP代码302）到http登录页面（ http://myapp.com/login/auth ）

然后我试着用：

  grails.plugin.springsecurity.secureChannel.useHeaderCheckChannelSecurity =真
 grails.plugin.springsecurity.auth.forceHttps =真
  

但这会导致重定向（HTTP代码302）到http登录页面（ http://myapp.com/login/auth ）

1. 问题仅在于如果我在loacal开发机器上测试相同的config.groovy，则重定向到https://myapp.com/login/auth 恰好没有问题。


2. 我尝试为弹簧安全指定一个不同的httpsPort ，它也可以在我的本地开发机器上运行，但在部署的应用程序中完全忽略它，并将其重定向到http

没有运气潜藏在类似的帖子，任何想法？

解决方案

我也在托管我的Grails应用程序AWS上的Spring Security Core 2.0-RC4包含https和负载平衡器，感谢 spock99 （上图）和Ravi L AWS，我得到了它的工作。

我在config.groovy中做了以下工作：

  //必须因为用户身份验证使用绝对重定向
 grails.serverURL =http://example.com
 
 grails.plugin.springsecurity.secureChannel.definition = [ 
 '/资产/ **'： 'ANY_CHANNEL'，//让JS，CSS，图像提供给登出页面
 '/ **'： 'REQUIRES_SECURE_CHANNEL'，
] 
 
 //从SpringSecurityCore 2.0-RC4 
 grails.plugin.springsecurity.secureChannel.useHeaderCheckChannelSecurity重写在DefaultSecurityConfig.groovy值=真
 grails.plugin.springsecurity.portMapper.httpPort = 80 
 grails.plugin.springsecurity.portMapper.httpsPort = 443 
  

注意：以下在Spring Security Core 2.0-RC4中不需要 - 它们已经在DefaultSecurityConfig.groovy中了。
$ b

  secureHeaderName =' X  - 转发的Proto 
 secureHeaderValue = 'HTTP' 
 insecureHeaderName = 'X  - 转发的Proto' 
 insecureHeaderValue = 'https' 时
  

因为点击'/'返回302重定向到/ login / auth，所以我给HomeController添加了一个health（）方法我映射到 '/健康'），用于AWS击中：

 类的HomeController {
 @Secured（'IS_AUTHENTICATED_FULLY '）
 def index（）{} 
 
 @Secured（'permitAll'）
 def health（）{render''} 
} 
  

对我来说，关键是会话cookie不能正确处理Load Balancer上运行的多个实例（我没有发现这个直到设定e的最小实例为2），所以为了让用户能够登录并保持登录状态，我在AWS上进行了以下操作：

  1。在Services / Elastic Beanstalk / Configuration / Load Balancing 
 a。设置应用程序运行状况检查URL：/ health 
 b。在服务/ EC2 /负载平衡器/描述/端口配置：
对于端口80（HTTP）和443（HTTPS）
 1.编辑并选择'启用应用程序生成的Cookie粘性'
 2. Cookie名称：JSESSIONID 
  

I have a Grails app using Spring Security Core running on an AWS machine behind a load balancer.

The load balancer decrypts the ssl connections and forwards to port 8080 of our instance adding appropriate X-Forwarded-Proto headers.

I would like any direct access to a secured page to redirect to the login page using https.

For example a request https://myapp.com/private/page should redirect to https://myapp.com/login/auth

I put this in my config.groovy:

grails.plugin.springsecurity.secureChannel.definition = [
    '/login/**':        'REQUIRES_SECURE_CHANNEL'
]

but this causes a redirect loop (HTTP code 302) to the http login page (http://myapp.com/login/auth)

Then I tried just with:

grails.plugin.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true
grails.plugin.springsecurity.auth.forceHttps = true

but this causes a redirect (HTTP code 302) to the http login page (http://myapp.com/login/auth)

1. The issue is presentig just with the production setup (war deployed to Tomcat behind the load balancer).
2. If I test the same config.groovy on my loacal dev machine the redirect to https://myapp.com/login/auth happens just fine.
3. I tried to specify a different httpsPort for spring security, again it works on my local dev machine but it is completely ignored in the deployed app that keeps redirecting to http

No luck lurking at similar posts, any idea?

解决方案

I also am hosting my Grails app with Spring Security Core 2.0-RC4 on AWS with https and a load balancer, and thanks to spock99 (above) and Ravi L of AWS, I got it working.

I did the following in config.groovy:

    // Required because user auth uses absolute redirects
    grails.serverURL = "http://example.com"

    grails.plugin.springsecurity.secureChannel.definition = [
        '/assets/**':     'ANY_CHANNEL',// make js, css, images available to logged out pages
        '/**':            'REQUIRES_SECURE_CHANNEL',
    ]

    // overriding values in DefaultSecurityConfig.groovy from the SpringSecurityCore 2.0-RC4 
    grails.plugin.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true
    grails.plugin.springsecurity.portMapper.httpPort = 80
    grails.plugin.springsecurity.portMapper.httpsPort = 443

NOTE: The following were not needed in Spring Security Core 2.0-RC4 - they are already in DefaultSecurityConfig.groovy

    secureHeaderName = 'X-Forwarded-Proto'
    secureHeaderValue = 'http'
    insecureHeaderName = 'X-Forwarded-Proto'
    insecureHeaderValue = 'https'

I was getting false 'Unhealthy' readings because hitting '/' returns a 302 redirect to /login/auth, so I added a health() method to HomeController (which I mapped to '/health') for AWS to hit:

    class HomeController {
        @Secured('IS_AUTHENTICATED_FULLY')
        def index() { }

        @Secured('permitAll')
        def health() { render '' }
    }

Key for me was that session cookies were not being handled properly with multiple instance running on the Load Balancer (I did not discover this until setting the minimum instance to 2), so in order for users to be able to log in and stay logged in, I did the following on AWS:

1.  At Services / Elastic Beanstalk / Configuration / Load Balancing 
    a. set Application health check URL: /health
    b. left Session Stickiness: unchecked
2. At Services / EC2 / Load Balancers / Description / Port Configuration:
    For both port 80 (HTTP)  and 443 (HTTPS)
        1. Edit and select 'Enable Application Generated Cookie Stickiness'
        2. Cookie Name: JSESSIONID

这篇关于Grails Spring Security使用https重定向到登录页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！