Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document Proxy Server Configuration #4076

Closed
balaji-katika opened this issue Sep 29, 2016 · 1 comment
Closed

Document Proxy Server Configuration #4076

balaji-katika opened this issue Sep 29, 2016 · 1 comment
Assignees
@rwinch
Labels
in: docs An issue in Documentation or samples type: enhancement A general enhancement
Milestone
4.2.0 RC1

Comments

@balaji-katika
Copy link

balaji-katika commented Sep 29, 2016
edited
Loading

Summary

Infinite loop occurs in commence method for Load Balancer (LB) based deployment

Actual Behavior

When useForward is true, the below if check runs in infinite loop as the https requests received by the LB is forwarded to the webserver as http
if (forceHttps && "http".equals(request.getScheme())) {
// First redirect the current request to HTTPS.
// When that request is received, the forward to the login page will be used.
redirectUrl = buildHttpsRedirectUrlForRequest(request);
}

Expected Behavior

if condition above could use the header Forward-proto or X-Forward-proto (Refer https://tools.ietf.org/html/rfc7239#page-7) to determine if the server has a proxy or LB configured. Not all LB adds this header and hence can't always be relied on. Instead an additional boolean param should be provided with this class for users to allow skiping this check for such deployments.

Configuration

<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <property name="forceHttps" value="true"></property>
    <property name="useForward" value="true"></property>
</bean>

Version

spring-security-web-3.2.4.RELEASE

Sample

Refer the config above
@rwinch rwinch self-assigned this Oct 18, 2016
rwinch pushed a commit that referenced this issue Oct 18, 2016
Document Proxy Server
0c35209 
Issue gh-4076
@rwinch rwinch added this to the 4.2.0 RC1 milestone Oct 18, 2016
@rwinch rwinch added in: docs An issue in Documentation or samples type: enhancement A general enhancement labels Oct 18, 2016
@rwinch
Copy link
Member

rwinch commented Oct 18, 2016

Thanks for the report.

To solve this you either need to configure your container for a proxy server (i.e. Tomcat's RemoteIpValve) or in Spring 4.3+ you can use ForwardedHeaderFilter.

I updated the documentation to include this information. See0c35209d77660f397e0ca3f71a7815aebd6858bc

@rwinch rwinch closed this as completed Oct 18, 2016
@rwinch rwinch changed the title LoginUrlAuthenticationEntryPoint: Infinite loop in commence method for LB based deployment Document Proxy Server Configuration Oct 25, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: docs An issue in Documentation or samples type: enhancement A general enhancement
Projects
None yet
Milestone
4.2.0 RC1
Development

No branches or pull requests
2 participants
@rwinch @balaji-katika