After Change legacy application configuration from HTTPS to HTTP Spring Security stopped working

Question

I'm using tomcat 7 and Spring 3.1.0.RELEASE.

Before making this change the authentication process works well, after doing it stopped:

web.xml Before:

<user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
After:
<user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>

The problem is, the application now can be accessed without HTTPS but we can't log in because spring security is redirecting to the login page as expected when the user are not logged. If I comment the security:intercept-url in applicationContext-security.xml it works well, I'm not understanding how the HTTPS can affect the Spring Security Authentication. The user and roles are the same using HTTPS and HTTP.

Did you check if JSESSIONID cookies get the `secure` flag set `true`? If so, it won't be transmitted through plain text transport and it looks like users are logget off instantly. Maybe this is helpful reading: [Add secure flag to JSESSIONID cookie in spring automatically](https://stackoverflow.com/questions/39252924/add-secure-flag-to-jsessionid-cookie-in-spring-automatically) — Selaron, Mar 20 '19 at 16:43
I've tried with secure for cookie config set as true and false and I get the same problem. I noticed that the cookie is not being stored on the browser side. — Vinicius Falcão, Mar 20 '19 at 17:35

After Change legacy application configuration from HTTPS to HTTP Spring Security stopped working

0 Answers0