'Spring Boot Security using http instead of https when forwarding to login page

I am using Spring Boot Security with a custom AuthenticationProvider to secure a Java Spring Boot application. Attempts to access the application via a browser are directed to a custom login page. The body of my security config class is pasted below:-

@EnableWebSecurity
@Configuration
public class SecurityConfiguration {

    @Bean
    public AuthenticationProvider authenticationProvider() {
        return new DocumentumAuthenticationProvider();
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginPage("/content/login")
                .permitAll()
                .and()
                .logout()
                .logoutUrl("/content/logout")
                .logoutSuccessUrl("/content/logout")
                .permitAll();
        return http.build();
    }

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return (web) -> web.ignoring().antMatchers("/retrieve/**", "/upload/**", "/content/css/**", "/content/scripts/**", "/content/images/**", "/content/images/**");
    }

    @Bean
    public BCryptPasswordEncoder encodePWD() {
        return new BCryptPasswordEncoder();
    }
}

This all works fine when I run my services locally within my IDE. For the next step, I containerised my application and deployed it to an AWS EC2 server. I have configured a custom HTTPS port for the app and have added a corresponding listener to the Application Load Balancer.

The issue is that when a user attempts to access the app in a browser over https, Spring Security is forwarding the user to a login page using http instead of https as the protocol e.g. user enters the following address in the browser: -

https://my-app:22223/content/documents

..and is forwarded here..

http://my-app:22223/content/login

Because this is an https port, the user sees this error page:-

http instead of https error message

If the user manually changes the protocol to https in the browser address bar, it then works fine.

I would be very grateful if anyone would be able to advise me why Spring Boot Security is behaving this way and what steps I can take to force it to use https in the login URL. Many thanks for reading my post!

javaspring-boothttpspring-securityaws-load-balancer


Solution 1:[1]

You should configure the ALB to terminate SSL (i.e. register certificate etc). If this is configured correctly, the ALB will automatically add a header (X-Forwarded-Proto) that tells Spring Security that it needs to use HTTPS for its redirects.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 marthursson

Related Questions