For the latest stable version, please use Spring Security 6.4.0! |
HTTP
All HTTP-based communication should be protected using TLS.
This section discusses the details of servlet-specific features that assist with HTTPS usage.
Redirect to HTTPS
If a client makes a request using HTTP rather than HTTPS, you can configure Spring Security to redirect to HTTPS.
For example, the following Java or Kotlin configuration redirects any HTTP requests to HTTPS:
Redirect to HTTPS
-
Java
-
Kotlin
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
// ...
.requiresChannel(channel -> channel
.anyRequest().requiresSecure()
);
return http.build();
}
}
@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
// ...
requiresChannel {
secure(AnyRequestMatcher.INSTANCE, "REQUIRES_SECURE_CHANNEL")
}
}
return http.build()
}
}
The following XML configuration redirects all HTTP requests to HTTPS
Redirect to HTTPS with XML Configuration
<http>
<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
...
</http>
Strict Transport Security
Spring Security provides support for Strict Transport Security and enables it by default.
Proxy Server Configuration
Spring Security integrates with proxy servers.