使用Spring Security将https卸载到负载均衡器 [英] Offloading https to load balancers with Spring Security
问题描述
现在,负载均衡器处理https,然后将该https传递给我的Web服务器。因此,为每个请求处理https double。我想要做的是完全卸载https,这样我的网络服务器就不必处理它。
Right now, the load balancers handle https and then pass along that https to my web servers. So dealing with https double for each request. What I want to do is completely offload https so my web servers don't have to deal with it.
如何配置网络上的Spring Security和JSP页面服务器认为所有请求都是http?显然,我必须修改我的配置中的< intercept-url> 元素才能让他们的 requires-channel 属性始终为 http 或任何。在我的JSP页面中,我必须在 $ {secureUrl}之前添加< c:url value =''/> 链接/ code>和 $ {nonSecureUrl} 取决于结果页面是否需要为https或http。来自控制器的重定向也需要像这样修改......还有其他吗?
How do I configure Spring Security and JSP pages given that the web servers think all requests are http? Obviously I'll have to modify the <intercept-url> elements of my configuration to have their requires-channel attribute always be http or any. In my JSP pages I'll have to prepend the <c:url value=''/> links with a ${secureUrl} and ${nonSecureUrl} depending whether the resulting page needs to be https or http. Redirects from controllers need to be modified like this as well... Anything else?
修改JSP页面中的所有链接以包含方案和主机似乎非常痛苦太。有没有更好的方法呢?
Seems like quite a pain to modify all links in JSP pages to include the scheme and host too. Is there a better way to do that?
推荐答案
如果您在负载均衡器处终止SSL,那么您的负载均衡器应该发送一个标题指示最初请求的协议。例如,F5添加了X-Forwarded-Proto。
If you terminate SSL at the load balancer then your load balancer should send a header indicating what protocol was originally requested. For example, the F5 adds X-Forwarded-Proto.
从这里你可以创建自定义的 ChannelProcessor 在此标题处,而不是查看 request.isSecure()。然后,您可以继续使用< intercept-url requires-channel =https> 和相对< c:url> 。
From here you can create custom ChannelProcessors that look at this header instead of looking at request.isSecure(). Then you can continue using <intercept-url requires-channel="https"> and relative <c:url>.
步骤:
-
子类 SecureChannelProcessor 和< a href =http://static.springsource.org/spring-security/site/apidocs/org/springframework/security/web/access/channel/InsecureChannelProcessor.html\"rel =noreferrer> InsecureChannelProcessor 覆盖
决定()。在中决定()检查负载均衡器发送的标头。
Subclass SecureChannelProcessor and InsecureChannelProcessor overriding
decide(). Indecide()check the header sent by your load balancer.
@Override
public void decide(FilterInvocation invocation, Collection<ConfigAttribute> config) throws IOException, ServletException {
for (ConfigAttribute attribute : config) {
if (supports(attribute)) {
if (invocation.getHttpRequest().
getHeader("X-Forwarded-Proto").equals("http")) {
entryPoint.commence(invocation.getRequest(),
invocation.getResponse());
}
}
}
}
然后在 ChannelDecisionManagerImpl bean使用 BeanPostProcessor 。请参阅此 Spring Security常见问题解答了解原因/如何使用 BeanPostProcessor 。
Then set these ChannelProcessors on the ChannelDecisionManagerImpl bean using a BeanPostProcessor. See this Spring Security FAQ on why/how to use a BeanPostProcessor for this.
这篇关于使用Spring Security将https卸载到负载均衡器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
