我只是将我的 webapp 迁移到 HTTPS,除 ajax 登录外一切正常。(尽管非 ajax 登录有效)
当我尝试登录时,收到以下错误消息:
Mixed Content: The page at 'https://www.foo.bar/paris' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://www.foo.bar/security/ajax-success'. This request has been blocked; the content must be served over HTTPS.
在网络选项卡中我得到
https://www.foo.bar/security/ajax-login status - > canceled
http://www.foo.bar/security/ajax-success status -> blocked(mixed-content)
我将 apache2 和 tomcat 与 ProxyPass 一起使用 这是我的默认 ssl 配置:
<VirtualHost _default_:443>
ServerAdmin contact@foo.bar
ServerName www.foo.bar
ErrorLog /home/apache_logs/error_website.log
CustomLog /home/apache_logs/access_website.log combined
SSLEngine on
SSLCertificateFile /home/sslcerts/certs/www.foo.bar.crt
SSLCertificateKeyFile /home/sslcerts/private/foo.key
SSLCertificateChainFile /home/sslcerts/certs/foo.pem
SSLVerifyClient None
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://0.0.0.0:8080/
ProxyPassReverse / https://0.0.0.0:8080/
</VirtualHost>
<VirtualHost *:80>
ServerName www.foo.bar
ServerAlias foo.bar
Redirect "/" "https://www.foo.bar/"
</VirtualHost>
我在这个 java web 应用程序中使用 Spring security,这是我的配置文件:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class MultiHttpSecurityConfig {
@Autowired
@Qualifier("userDetailsService")
UserDetailsService userDetailsService;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Configuration
@Order(1)
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.antMatcher("/security/**")
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.loginProcessingUrl("/security/ajax-login")
.loginPage("/security/ajax-login-page")
.failureUrl("/ajax-failure")
.defaultSuccessUrl("/security/ajax-success", true)
.and()
.logout()
.invalidateHttpSession(true)
.deleteCookies("hdfyer")
.logoutRequestMatcher(new AntPathRequestMatcher("/app/logout"));
}
}
@Configuration
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**")
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/account").access("hasRole('ROLE_USER')")
.and()
.formLogin()
.loginPage("/login")
.failureUrl("/login?error")
.loginProcessingUrl("/j_spring_security_check")
.usernameParameter("username")
.passwordParameter("password")
.successHandler(new AuthenticationSuccessCallback())
.and()
.logout()
.invalidateHttpSession(true)
.deleteCookies("jforumUserInfo")
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
}
@Bean(name = "myAuthenticationManager")
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
}
我尝试添加 requiresChannel 或 portMapper 但没有成功(它有时会因太多重定向错误而失败...)。
我也看不出这些配置有什么问题。 如何使 spring security 在 https 而不是 http 上重定向 ajax 登录成功?
最佳答案
解决方法很简单:
将以下代码行添加到您的配置方法
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requiresChannel().antMatchers("/login**,/user**").requiresSecure();
}
注意:/login**,/logout** 应该在您的 apache2 配置中作为代理传递的一部分提及 添加到 antMatcher - 无论哪个请求从 https 重定向到 http。
还有一件事要添加到你的 apache2 配置中
<b> RequestHeader set X-Forwarded-Proto https</b>
和 在你的 spring-boot application.properties(如果你有) 添加以下属性
<强>
server.tomcat.remote_ip_header=x-forwarded-for
server.tomcat.protocol_header=x-forwarded-proto
关于apache - Spring Security ajax 登录使用 http 重定向而不是 https,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/37835342/