Spring Security: requires-channel="https" causes redirect loop

Question

I'm having a problem trying to get <security:intercept-url ... requires-channel="https"/> to work properly on WAS. The application server is SSL-enabled.

When I have my configuration like this:-

<security:http auto-config="true">
    <security:form-login .../>
    <security:logout .../>

    <security:intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
    <security:intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER" />
</security:http>

... I can hit both http://server/myapp and https://server/myapp. In both cases, Spring Security was able to intercept this URL and present me the login page.

Now, what I want to do is to redirect all http URLs to https URLs. So, I added requires-channel="https" to <security:intercept-url />

<security:http auto-config="true">
    <security:form-login .../>
    <security:logout .../>

    <security:intercept-url pattern="/admin/**" access="ROLE_ADMIN" requires-channel="https" />
    <security:intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER" requires-channel="https" />
</security:http>

... now, when I try to hit http://server/myapp , I'm seeing http://server/myapp/myapp/myapp/myapp/myapp/myapp and it goes into a redirect loop.

So, I redefined the port mappings:-

<security:http auto-config="true">
    <security:form-login .../>
    <security:logout .../>

    <security:intercept-url pattern="/admin/**" access="ROLE_ADMIN" requires-channel="https" />
    <security:intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER" requires-channel="https" />

    <security:port-mappings>
        <security:port-mapping http="80" https="443"/>
    </security:port-mappings>
</security:http>

... when I try to hit http://server/myapp , the URL doesn't change in the browser bar, but I still get the "redirect loop" problem. Even if I try to hit https://server/myapp, I still get the same problem.

I'm running out of ideas on how to debug this problem. It seems like when I add requires-channel="https", it breaks on WAS but it works just fine on Jetty. My current workaround is to remove requires-channel="https" so that https work on WAS but then, the users may come to the site using http.

Just to throw another thing out, adding port 9080 for http and port 9443 for https doesn't fix the problem either on WAS.

Any ideas? Thank you for your help.

Answer 1

My current workaround is to remove requires-channel="https" so that https work on WAS but then, the users may come to the site using http.

I don't have a solution to the problem, but here's a workaround that fixes this:

import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest; 
import javax.servlet.http.HttpServletResponse; 

import org.springframework.stereotype.Component;     
import org.springframework.web.filter.OncePerRequestFilter; 

@Component
public class UnsecureRequestFilter extends OncePerRequestFilter { 

    @Override 
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) 
                    throws ServletException, IOException { 
        if (!request.isSecure()) {
            response.sendRedirect("https://domain.example.com/");
        } else { 
            filterChain.doFilter(request, response); 
        } 
    }
} 

This is platform independent, so should work with WAS as well as any other container.