Force Grails/Weblogic To Only Redirect Using HTTPS protocol

£可爱£侵袭症+ 提交于 2020-01-03 15:54:31

问题


I'm using Grails (2.2.2) on a project and my application issues undesirable http redirects instead of https redirects.

We currently have an F5 load balancer in front of Oracle Weblogic. The F5 is offloading our SSL from Weblogic. The F5 only accepts https requests and Weblogic only accepts http requests.

My Grails project uses the Spring Security and Spring Security CAS plugin.

The problem typically occurs on a successful CAS login. Grails seems to always issue an HTTP redirect.

My serverURL specifies HTTPS as do all my CAS configuration variables. like

grails.serverURL = "https://example.com/${appName}"

Is there any way to force GRAILS/Weblogic to only issue https redirects?

EDIT #1 - Further Info

I've tried doing this with no luck:

grails.plugin.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true
grails.plugin.springsecurity.secureChannel.definition = [
    '/**': 'REQUIRES_SECURE_CHANNEL'
 ]
grails.plugin.springsecurity.portMapper.httpPort = 80
grails.plugin.springsecurity.portMapper.httpsPort = 443
grails.plugin.springsecurity.secureChannel.secureHeaderName = 'WL-Proxy-SSL'
grails.plugin.springsecurity.secureChannel.secureHeaderValue = 'http'
grails.plugin.springsecurity.secureChannel.insecureHeaderName = 'WL-Proxy-SSL'
grails.plugin.springsecurity.secureChannel.insecureHeaderValue = 'https'

Also, the behavior seems like it may be related to Spring Security/Spring CAS plugin not respecting protocol

The redirect that happens after j_spring_security_check seems to always return an http redirect instead of an https redirect. This creates a problem as we do not allow http requests on the F5 server. I.E.

https://www.example.com/grailsapp/
-> 
https://www.casserver.com/cas/login?service=https%3A%2F%2Fwww.example.com%2Fgrailsapp%2Fj_spring_cas_security_check
-> https://www.example.com/grailsapp/j_spring_cas_security_check;jsessionid=f6T8RyDZ83Z2QQQlMQ7fGXvlrs05m9hTjlBkndD6stBh1s20v2ZH!-1677111548?ticket=ST-231-4Dl5PVDe4RRLpAW5CEXb-www.casserver.com
->
http://www.example.com/grailsapp/

Config for CAS plugin:

production {
    grails.plugins.springsecurity.cas.loginUri = '/login'
    grails.plugins.springsecurity.cas.serviceUrl = 'https://example.com/grailsapp/j_spring_cas_security_check'
    grails.plugins.springsecurity.cas.serverUrlPrefix = 'https://casserver.com/cas'
    grails.plugins.springsecurity.logout.afterLogoutUrl = 'https://casserver.com/cas/logout?url=https://example.com/grailsapp/'
}

回答1:


I would recommend you look at your channel security settings for Spring Security. Pay attention to the section regarding F5s and SSL in the documentation.

I suspect you are missing the following from your configuration:

grails.plugin.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true

I also suspect you aren't forcing your application to always run under SSL by setting:

grails.plugin.springsecurity.secureChannel.definition = [
   '/**': 'REQUIRES_SECURE_CHANNEL'
]



回答2:


You might want to consider http://grails.org/plugin/force-ssl

Otherwise we recommend using Apache / Nginx to do the redirect




回答3:


I was able to come up with a solution through an F5 redirect rewrite rule. Unfortunately, it is not as ideal as coming up with a Grails solution but it works for my environment.

when HTTP_RESPONSE { 
  if { [HTTP::is_redirect] }{ 
        HTTP::header replace Location [string map {"http://example.com/grailsapp/" "https://example.com/grailsapp/"} [HTTP::header Location]] 
    } 
}


来源:https://stackoverflow.com/questions/23664835/force-grails-weblogic-to-only-redirect-using-https-protocol

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!