You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Infinite loop occurs in commence method for Load Balancer (LB) based deployment
Actual Behavior
When useForward is true, the below if check runs in infinite loop as the https requests received by the LB is forwarded to the webserver as http
if (forceHttps && "http".equals(request.getScheme())) {
// First redirect the current request to HTTPS.
// When that request is received, the forward to the login page will be used.
redirectUrl = buildHttpsRedirectUrlForRequest(request);
}
Expected Behavior
if condition above could use the header Forward-proto or X-Forward-proto (Refer https://tools.ietf.org/html/rfc7239#page-7) to determine if the server has a proxy or LB configured. Not all LB adds this header and hence can't always be relied on. Instead an additional boolean param should be provided with this class for users to allow skiping this check for such deployments.
To solve this you either need to configure your container for a proxy server (i.e. Tomcat's RemoteIpValve) or in Spring 4.3+ you can use ForwardedHeaderFilter.
I updated the documentation to include this information. See0c35209d77660f397e0ca3f71a7815aebd6858bc
rwinch
changed the title
LoginUrlAuthenticationEntryPoint: Infinite loop in commence method for LB based deployment
Document Proxy Server Configuration
Oct 25, 2016
Summary
Infinite loop occurs in commence method for Load Balancer (LB) based deployment
Actual Behavior
When useForward is true, the below if check runs in infinite loop as the https requests received by the LB is forwarded to the webserver as http
if (forceHttps && "http".equals(request.getScheme())) {
// First redirect the current request to HTTPS.
// When that request is received, the forward to the login page will be used.
redirectUrl = buildHttpsRedirectUrlForRequest(request);
}
Expected Behavior
if condition above could use the header Forward-proto or X-Forward-proto (Refer https://tools.ietf.org/html/rfc7239#page-7) to determine if the server has a proxy or LB configured. Not all LB adds this header and hence can't always be relied on. Instead an additional boolean param should be provided with this class for users to allow skiping this check for such deployments.
Configuration
Version
spring-security-web-3.2.4.RELEASE
Sample
Refer the config above
The text was updated successfully, but these errors were encountered: