What class/method in Spring Security handles redirecting to /oauth2/authorization/{registrationId}? Need to override for container

Question

We're deploying our API in a docker container behind a gateway. Everything behind the gateway is http, not https. As a result, when Spring Security tries to redirect a user to the authorization Uri, it does it to http which throws a 404. (because when the redirect hits the user's browser, the browser cannot find it at http, only at https)

I have been unable to find where this redirect occurs. For example, if a user goes to https://thecompany.com/securedpage, and Spring Security sees they're not authenticated (no JWT), some code will then redirect to /oauth2/authorization/{regsitrationId}.

I found where the resolving is done (OAuth2AuthorizationRequestRedirectWebFilter.filter(ServerWebExchange exchange, WebFilterChain chain) but I cannot seem to find where the redirect occurs. I walked all the way down the Security Filer Chain, but even at the last one, there was no header in the response for a redirect, nor was there a status of 302.

How can I override the redirect to enforce https?

What gateway do you use? The gateway should fix this problem not the application server. — dur, Mar 16 '19 at 22:43

score 1 · Answer 1 · answered Mar 18 '19 at 08:55

Did you follow the chapter "Proxy Server Configuration" from spring security documentation to configure your gateway ?

You need to make your application aware of that configuration (https --> gateway --> http --> your_app) by setting X-Forwarded headers and by configuring the ForwardedHeaderFilter in your app

What class/method in Spring Security handles redirecting to /oauth2/authorization/{registrationId}? Need to override for container

1 Answers1