Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
426 views
in Technique[技术] by (71.8m points)

jsp - Offloading https to load balancers with Spring Security

Right now, the load balancers handle https and then pass along that https to my web servers. So dealing with https double for each request. What I want to do is completely offload https so my web servers don't have to deal with it.

How do I configure Spring Security and JSP pages given that the web servers think all requests are http? Obviously I'll have to modify the <intercept-url> elements of my configuration to have their requires-channel attribute always be http or any. In my JSP pages I'll have to prepend the <c:url value=''/> links with a ${secureUrl} and ${nonSecureUrl} depending whether the resulting page needs to be https or http. Redirects from controllers need to be modified like this as well... Anything else?

Seems like quite a pain to modify all links in JSP pages to include the scheme and host too. Is there a better way to do that?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

If you terminate SSL at the load balancer then your load balancer should send a header indicating what protocol was originally requested. For example, the F5 adds X-Forwarded-Proto.

From here you can create custom ChannelProcessors that look at this header instead of looking at request.isSecure(). Then you can continue using <intercept-url requires-channel="https"> and relative <c:url>.

The steps:

  1. Subclass SecureChannelProcessor and InsecureChannelProcessor overriding decide(). In decide() check the header sent by your load balancer.

    @Override
    public void decide(FilterInvocation invocation, Collection<ConfigAttribute> config) throws IOException, ServletException {
    
      for (ConfigAttribute attribute : config) {
          if (supports(attribute)) {
              if (invocation.getHttpRequest().
                      getHeader("X-Forwarded-Proto").equals("http")) {
                  entryPoint.commence(invocation.getRequest(),
                      invocation.getResponse());
              }
          }
      }
    }
    
  2. Then set these ChannelProcessors on the ChannelDecisionManagerImpl bean using a BeanPostProcessor. See this Spring Security FAQ on why/how to use a BeanPostProcessor for this.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...