Skip to content

Spring 中文文档社区
Spring 中文文档社区

深夜程序员 / Spring 中文文档社区
与 Fork 源项目一致

Fork自 开发云 / Spring 中文文档社区

通知 1
Star 0
Fork 0
Spring 中文文档社区
Spring 中文文档社区

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

切换分支/标签
查找文件 普通视图历史永久链接Permalink
169.073fab54.js 4.6 KB
Newer Older
茶陵後's avatar
#1 build  
茶陵後 已提交
1 
(window.webpackJsonp=window.webpackJsonp||[]).push([[169],{593:function(e,t,r){"use strict";r.r(t);var a=r(56),o=Object(a.a)({},(function(){var e=this,t=e.$createElement,r=e._self._c||t;return r("ContentSlotsDistributor",{attrs:{"slot-key":e.$parent.slotKey}},[r("h1",{attrs:{id:"http"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#http"}},[e._v("#")]),e._v(" HTTP")]),e._v(" "),r("p",[e._v("All HTTP based communication, including "),r("a",{attrs:{href:"https://www.troyhunt.com/heres-why-your-static-website-needs-https/",target:"_blank",rel:"noopener noreferrer"}},[e._v("static resources"),r("OutboundLink")],1),e._v(", should be protected "),r("a",{attrs:{href:"https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html",target:"_blank",rel:"noopener noreferrer"}},[e._v("using TLS"),r("OutboundLink")],1),e._v(".")]),e._v(" "),r("p",[e._v("As a framework, Spring Security does not handle HTTP connections and thus does not provide support for HTTPS directly.\nHowever, it does provide a number of features that help with HTTPS usage.")]),e._v(" "),r("h2",{attrs:{id:"redirect-to-https"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#redirect-to-https"}},[e._v("#")]),e._v(" Redirect to HTTPS")]),e._v(" "),r("p",[e._v("When a client uses HTTP, Spring Security can be configured to redirect to HTTPS both "),r("RouterLink",{attrs:{to:"/servlet/exploits/http.html#servlet-http-redirect"}},[e._v("Servlet")]),e._v(" and "),r("RouterLink",{attrs:{to:"/reactive/exploits/http.html#webflux-http-redirect"}},[e._v("WebFlux")]),e._v(" environments.")],1),e._v(" "),r("h2",{attrs:{id:"strict-transport-security"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#strict-transport-security"}},[e._v("#")]),e._v(" Strict Transport Security")]),e._v(" "),r("p",[e._v("Spring Security provides support for "),r("RouterLink",{attrs:{to:"/en/spring-security/headers.html#headers-hsts"}},[e._v("Strict Transport Security")]),e._v(" and enables it by default.")],1),e._v(" "),r("h2",{attrs:{id:"proxy-server-configuration"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#proxy-server-configuration"}},[e._v("#")]),e._v(" Proxy Server Configuration")]),e._v(" "),r("p",[e._v("When using a proxy server it is important to ensure that you have configured your application properly.\nFor example, many applications will have a load balancer that responds to request for "),r("a",{attrs:{href:"https://example.com/",target:"_blank",rel:"noopener noreferrer"}},[e._v("https://example.com/"),r("OutboundLink")],1),e._v(" by forwarding the request to an application server at "),r("a",{attrs:{href:"https://192.168.1:8080",target:"_blank",rel:"noopener noreferrer"}},[e._v("https://192.168.1:8080"),r("OutboundLink")],1),e._v(".\nWithout proper configuration, the application server will not know that the load balancer exists and treat the request as though "),r("a",{attrs:{href:"https://192.168.1:8080",target:"_blank",rel:"noopener noreferrer"}},[e._v("https://192.168.1:8080"),r("OutboundLink")],1),e._v(" was requested by the client.")]),e._v(" "),r("p",[e._v("To fix this you can use "),r("a",{attrs:{href:"https://tools.ietf.org/html/rfc7239",target:"_blank",rel:"noopener noreferrer"}},[e._v("RFC 7239"),r("OutboundLink")],1),e._v(" to specify that a load balancer is being used.\nTo make the application aware of this, you need to either configure your application server aware of the X-Forwarded headers.\nFor example Tomcat uses the "),r("a",{attrs:{href:"https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html",target:"_blank",rel:"noopener noreferrer"}},[e._v("RemoteIpValve"),r("OutboundLink")],1),e._v(" and Jetty uses "),r("a",{attrs:{href:"https://www.eclipse.org/jetty/javadoc/jetty-9/org/eclipse/jetty/server/ForwardedRequestCustomizer.html",target:"_blank",rel:"noopener noreferrer"}},[e._v("ForwardedRequestCustomizer"),r("OutboundLink")],1),e._v(".\nAlternatively, Spring users can leverage "),r("a",{attrs:{href:"https://github.com/spring-projects/spring-framework/blob/v4.3.3.RELEASE/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java",target:"_blank",rel:"noopener noreferrer"}},[e._v("ForwardedHeaderFilter"),r("OutboundLink")],1),e._v(".")]),e._v(" "),r("p",[e._v("Spring Boot users may use the "),r("code",[e._v("server.use-forward-headers")]),e._v(" property to configure the application.\nSee the "),r("a",{attrs:{href:"https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-use-tomcat-behind-a-proxy-server",target:"_blank",rel:"noopener noreferrer"}},[e._v("Spring Boot documentation"),r("OutboundLink")],1),e._v(" for further details.")])])}),[],!1,null,null,null);t.default=o.exports}}]);