blocked:mixed-content error after spring boot upgrade

Question

I have upgraded some micro services that talk to each other from Spring Boot 1.5.3 to 2.3.5. Now when my micro service A calls micro service B, the call fails with the following status on the network tab of chrome's developer tools (blocked:mixed-content)

I am not sure what has changed that I start getting this error.

In browser's console I get the below error:

Mixed Content: The page at 'https://gateway-url/my-endpoint' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://micro-service-b-url/login'. This request has been blocked; the content must be served over HTTPS.

The strange thing is that there is no end-point /login in my entire codebase. I am unable to understand this behavior after springboot upgrade.

Any guidance on how spring boot upgrade led to this error and possible resolution is appreciated.

Note: I found some answers that suggest using the below code to resolve this

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

but looks like it doesn't work with all browsers and I am not sure if its safe to use this solution in terms of security.

Answer 1

Understood the issue and found the solution.

Looks like the security hooks used in SpringBoot 1 are deprecated in SpringBoot 2. So in my micro-service B the below config in properties file wasn't working after upgrade

security.basic.enable: false
security.ignored=/**

as a result SpringBoot 2 was enforcing default security config on micro-service B and calls to micro-service B through gateway were being redirected to web-sso login which resulted in the mysterious /login endpoint being called.

The solution was to disable default security. I did the below steps:

1. Removed deprecated hooks from properties file:
   
    security.basic.enable: false
    security.ignored=/**

 2. Disabled default security using below config  

    @SpringBootApplication(exclude = { SecurityAutoConfiguration.class, 
                                       ManagementWebSecurityAutoConfiguration.class })
    public class MyApplication  extends WebMvcConfigurerAdapter{

Note: I had to exclude ManagementWebSecurityAutoConfiguration.class because the micro-service was using SpringBoot actuator