强制Grails / Weblogic仅使用HTTPS协议重定向 [英] Force Grails/Weblogic To Only Redirect Using HTTPS protocol

问题描述

我在一个项目中使用Grails（2.2.2），我的应用程序发出了不受欢迎的http重定向，而不是https重定向。

我们目前有一个F5负载平衡器在Oracle Weblogic之前。 F5从Weblogic卸载我们的SSL。 F5只接受https请求，而Weblogic只接受http请求。

我的Grails项目使用Spring Security和Spring Security CAS插件。

这个问题通常发生在CAS登录成功之后。 Grails似乎总是发出HTTP重定向。

我的serverURL指定HTTPS，就像我所有的CAS配置变量一样。像

  grails.serverURL =https://example.com/${appName}
  

有没有办法强制GRAILS / Weblogic只发出https重定向？

编辑＃1 - 进一步信息

我试过这样做没有运气：

  grails.plugin.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true 
 grails.plugin.springsecurity.secureChannel.definition = [
'/ **'： 'REQUIRES_SECURE_CHANNEL'
] 
 grails.plugin.springsecurity.portMapper.httpPort = 80 
 grails.plugin.springsecurity.portMapper.httpsPort = 443 
 grails.plugin.springsecurity.secureChannel。 secureHeaderName ='WL-Proxy-SSL'
 grails.plugin.springsecurity.secureChannel.secureHeaderValue ='http'
 grails.plugin.springsecurity.secureChannel.insecureHeaderName ='WL-Proxy-SSL'
 grails.plugin.springsecurity.secureChannel.insecureHeaderValue ='https'
  

另外，行为似乎可能与Spring Security / Spring CAS插件不尊重协议有关。

在j_spring_security_check之后发生的重定向似乎总是返回http重定向，而不是https重定向。
这造成一个问题，因为我们不允许F5服务器上的http请求。
I.E。

  https://www.example.com/grailsapp/ 
  - > 
 https://www.casserver.com/cas/login?service=https%3A%2F%2Fwww.example.com%2Fgrailsapp%2Fj_spring_cas_security_check 
  - > https://www.example.com/grailsapp/j_spring_cas_security_check;jsessionid=f6T8RyDZ83Z2QQQlMQ7fGXvlrs05m9hTjlBkndD6stBh1s20v2ZH!-1677111548?ticket=ST-231-4Dl5PVDe4RRLpAW5CEXb-www.casserver.com 
  - > 
 http://www.example.com/grailsapp/ 
  

配置CAS插件：

 制作{
 grails.plugins.springsecurity.cas.loginUri ='/ login'
 grails。 plugins.springsecurity.cas.serviceUrl ='https://example.com/grailsapp/j_spring_cas_security_check'
 grails.plugins.springsecurity.cas.serverUrlPrefix ='https://casserver.com/cas'
 grails.plugins.springsecurity.logout.afterLogoutUrl ='https://casserver.com/cas/logout?url=https://example.com/grailsapp/'
} 
 
  
不幸的是，它不像提出Grails解决方案那么理想，但它适用于我的环境。
 当HTTP_RESPONSE {
 if {[HTTP :: is_redirect]} {
 HTTP :: header替换位置[string map {http://example.com/grailsapp/https://example.com/grailsapp/ } [HTTP :: header位置]] 
} 
} 
  
 
I'm using Grails (2.2.2) on a project and my application issues undesirable http redirects instead of https redirects.

We currently have an F5 load balancer in front of Oracle Weblogic. The F5 is offloading our SSL from Weblogic. The F5 only accepts https requests and Weblogic only accepts http requests.

My Grails project uses the Spring Security and Spring Security CAS plugin. 

The problem typically occurs on a successful CAS login. Grails seems to always issue an HTTP redirect. 

My serverURL specifies HTTPS as do all my CAS configuration variables. like
grails.serverURL = "https://example.com/${appName}"
Is there any way to force GRAILS/Weblogic to only issue https redirects?

EDIT #1 - Further Info

I've tried doing this with no luck:
grails.plugin.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true
grails.plugin.springsecurity.secureChannel.definition = [
    '/**': 'REQUIRES_SECURE_CHANNEL'
 ]
grails.plugin.springsecurity.portMapper.httpPort = 80
grails.plugin.springsecurity.portMapper.httpsPort = 443
grails.plugin.springsecurity.secureChannel.secureHeaderName = 'WL-Proxy-SSL'
grails.plugin.springsecurity.secureChannel.secureHeaderValue = 'http'
grails.plugin.springsecurity.secureChannel.insecureHeaderName = 'WL-Proxy-SSL'
grails.plugin.springsecurity.secureChannel.insecureHeaderValue = 'https'
Also, the behavior seems like it may be related to Spring Security/Spring CAS plugin not respecting protocol

The redirect that happens after j_spring_security_check seems to always return an http redirect instead of an https redirect.
This creates a problem as we do not allow http requests on the F5 server.
I.E.
https://www.example.com/grailsapp/
-> 
https://www.casserver.com/cas/login?service=https%3A%2F%2Fwww.example.com%2Fgrailsapp%2Fj_spring_cas_security_check
-> https://www.example.com/grailsapp/j_spring_cas_security_check;jsessionid=f6T8RyDZ83Z2QQQlMQ7fGXvlrs05m9hTjlBkndD6stBh1s20v2ZH!-1677111548?ticket=ST-231-4Dl5PVDe4RRLpAW5CEXb-www.casserver.com
->
http://www.example.com/grailsapp/
Config for CAS plugin:
production {
    grails.plugins.springsecurity.cas.loginUri = '/login'
    grails.plugins.springsecurity.cas.serviceUrl = 'https://example.com/grailsapp/j_spring_cas_security_check'
    grails.plugins.springsecurity.cas.serverUrlPrefix = 'https://casserver.com/cas'
    grails.plugins.springsecurity.logout.afterLogoutUrl = 'https://casserver.com/cas/logout?url=https://example.com/grailsapp/'
}

解决方案
I was able to come up with a solution through an F5 redirect rewrite rule. Unfortunately, it is not as ideal as coming up with a Grails solution but it works for my environment.
when HTTP_RESPONSE { 
  if { [HTTP::is_redirect] }{ 
        HTTP::header replace Location [string map {"http://example.com/grailsapp/" "https://example.com/grailsapp/"} [HTTP::header Location]] 
    } 
}


                        
这篇关于强制Grails / Weblogic仅使用HTTPS协议重定向的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！