Document Proxy Server Configuration #4076

Closed
balaji-katika opened this Issue Sep 29, 2016 · 1 comment

Comments

Projects
None yet
2 participants
@balaji-katika

balaji-katika commented Sep 29, 2016

Summary

Infinite loop occurs in commence method for Load Balancer (LB) based deployment

Actual Behavior

When useForward is true, the below if check runs in infinite loop as the https requests received by the LB is forwarded to the webserver as http
if (forceHttps && "http".equals(request.getScheme())) {
// First redirect the current request to HTTPS.
// When that request is received, the forward to the login page will be used.
redirectUrl = buildHttpsRedirectUrlForRequest(request);
}

Expected Behavior

if condition above could use the header Forward-proto or X-Forward-proto (Refer https://tools.ietf.org/html/rfc7239#page-7) to determine if the server has a proxy or LB configured. Not all LB adds this header and hence can't always be relied on. Instead an additional boolean param should be provided with this class for users to allow skiping this check for such deployments.

Configuration

<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <property name="forceHttps" value="true"></property>
    <property name="useForward" value="true"></property>
</bean>

Version

spring-security-web-3.2.4.RELEASE

Sample

Refer the config above

@rwinch rwinch self-assigned this Oct 18, 2016

rwinch added a commit that referenced this issue Oct 18, 2016

@rwinch rwinch added this to the 4.2.0 RC1 milestone Oct 18, 2016

@rwinch

This comment has been minimized.

Show comment
Hide comment
@rwinch

rwinch Oct 18, 2016

Member

Thanks for the report.

To solve this you either need to configure your container for a proxy server (i.e. Tomcat's RemoteIpValve) or in Spring 4.3+ you can use ForwardedHeaderFilter.

I updated the documentation to include this information. See0c35209d77660f397e0ca3f71a7815aebd6858bc

Member

rwinch commented Oct 18, 2016

Thanks for the report.

To solve this you either need to configure your container for a proxy server (i.e. Tomcat's RemoteIpValve) or in Spring 4.3+ you can use ForwardedHeaderFilter.

I updated the documentation to include this information. See0c35209d77660f397e0ca3f71a7815aebd6858bc

@rwinch rwinch closed this Oct 18, 2016

@rwinch rwinch changed the title from LoginUrlAuthenticationEntryPoint: Infinite loop in commence method for LB based deployment to Document Proxy Server Configuration Oct 25, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment