问题描述
我们使用 F5 BIG-IP 设备来终止 SSL 连接,并通过普通 HTTP 连接到具有启用 Spring 的应用程序的应用程序服务器.我们还配置了 F5 以发送一个 X-Forwarded-Proto 标头,其中包含 http 或 https 作为值.
We're using an F5 BIG-IP device to terminate SSL connections and connecting by plain HTTP to the application server with an spring enabled application. Also we configured F5 to send an X-Forwarded-Proto header with http or https as value.
现在我们想通过配置拦截 url 来强制使用 HTTPS:
Now we'd like to enforce HTTPS by configuring an intercept url:
<security:intercept-url pattern="/login.action" requires-channel="https" />
但这仅在 servlet 容器中的协议方案是 HTTPS 时才有效,因此我们需要解释 HTTP 标头.
But this only works if the protocol scheme in the servlet containter is HTTPS, so we need to interpret the HTTP header.
知道怎么做吗?
谢谢西蒙
推荐答案
Subclass SecureChannelProcessor 和 InsecureChannelProcessor 覆盖 decide().您需要复制并粘贴一些代码,例如安全代码:
Subclass SecureChannelProcessor and InsecureChannelProcessor overriding decide(). You'll need to copy and paste some code, for example for Secure:
@Override
public void decide(FilterInvocation invocation, Collection<ConfigAttribute> config) throws IOException, ServletException {
Assert.isTrue((invocation != null) && (config != null),
"Nulls cannot be provided");
for (ConfigAttribute attribute : config) {
if (supports(attribute)) {
if (invocation.getHttpRequest().
getHeader("X-Forwarded-Proto").equals("http")) {
entryPoint.commence(invocation.getRequest(),
invocation.getResponse());
}
}
}
}
然后在 ChannelDecisionManagerImpl bean 使用 BeanPostProcessor.
Then set these ChannelProcessors on the ChannelDecisionManagerImpl bean using a BeanPostProcessor.
这篇关于Spring Security:requires-channel="https"SSL加速器背后的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!