This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.3.4! |
HTTP
All HTTP based communication should be protected using TLS.
Below you can find details around Servlet specific features that assist with HTTPS usage.
Redirect to HTTPS
If a client makes a request using HTTP rather than HTTPS, Spring Security can be configured to redirect to HTTPS.
For example, the following Java configuration will redirect any HTTP requests to HTTPS:
Redirect to HTTPS
-
Java
-
Kotlin
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) {
http
// ...
.requiresChannel(channel -> channel
.anyRequest().requiresSecure()
);
}
}
@Configuration
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
// ...
requiresChannel {
secure(AnyRequestMatcher.INSTANCE, "REQUIRES_SECURE_CHANNEL")
}
}
}
}
The following XML configuration will redirect all HTTP requests to HTTPS
Redirect to HTTPS with XML Configuration
<http>
<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
...
</http>
Strict Transport Security
Spring Security provides support for Strict Transport Security and enables it by default.
Proxy Server Configuration
Spring Security integrates with proxy servers.