Right now, the load balancers handle https and then pass along that https to my web servers. So dealing with https double for each request. What I want to do is completely offload https so my web servers don’t have to deal with it.
How do I configure Spring Security and JSP pages given that the web servers think all requests are http? Obviously I’ll have to modify the <intercept-url> elements of my configuration to have their requires-channel attribute always be http or any. In my JSP pages I’ll have to prepend the <c:url value=''/> links with a ${secureUrl} and ${nonSecureUrl} depending whether the resulting page needs to be https or http. Redirects from controllers need to be modified like this as well… Anything else?
Seems like quite a pain to modify all links in JSP pages to include the scheme and host too. Is there a better way to do that?
If you terminate SSL at the load balancer then your load balancer should send a header indicating what protocol was originally requested. For example, the F5 adds X-Forwarded-Proto.
From here you can create custom
ChannelProcessors that look at this header instead of looking atrequest.isSecure(). Then you can continue using<intercept-url requires-channel="https">and relative<c:url>.The steps:
Subclass SecureChannelProcessor and InsecureChannelProcessor overriding
decide(). Indecide()check the header sent by your load balancer.Then set these ChannelProcessors on the ChannelDecisionManagerImpl bean using a
BeanPostProcessor. See this Spring Security FAQ on why/how to use aBeanPostProcessorfor this.