HTTP

All HTTP based communication should be protected using TLS.

Below you can find details around Servlet specific features that assist with HTTPS usage.

Redirect to HTTPS

If a client makes a request using HTTP rather than HTTPS, Spring Security can be configured to redirect to HTTPS.

For example, the following Java configuration will redirect any HTTP requests to HTTPS:

Example 1. Redirect to HTTPS

Java

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends
		WebSecurityConfigurerAdapter {

	@Override
	protected void configure(HttpSecurity http) {
		http
			// ...
			.requiresChannel(channel -> channel
				.anyRequest().requiresSecure()
			);
	}
}

Kotlin

@Configuration
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {

    override fun configure(http: HttpSecurity) {
        http {
            // ...
            requiresChannel {
                secure(AnyRequestMatcher.INSTANCE, "REQUIRES_SECURE_CHANNEL")
            }
        }
    }
}

The following XML configuration will redirect all HTTP requests to HTTPS

Example 2. Redirect to HTTPS with XML Configuration

<http>
	<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
...
</http>

Strict Transport Security

Spring Security provides support for Strict Transport Security and enables it by default.

Proxy Server Configuration

Spring Security integrates with proxy servers.