出于某种原因,我的Spring登录表单加载并发布到https,但是然后执行302到http页面导致错误。为什么它不会保留在https上,并使用https设置cookie?
POST / j_spring_security_check HTTP / 1.1
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9F9847C75A448A14CF631DBBD2F0E6A1; Path=/; HttpOnly
Location: http://example.com/
Content-Length: 0
Date: Fri, 24 Jan 2014 21:30:55 GMT
配置
<http pattern="/services/**" create-session="stateless" entry-point-ref="basicAuthAwareAuthenticationEntryPoint">
<http-basic/>
<intercept-url pattern="/services/**" access="ROLE_SERVICE" />
</http>
<http auto-config="true">
<intercept-url pattern="/index.*" access="ROLE_USER" />
<intercept-url pattern="/welcome.htm" access="ROLE_USER" />
<intercept-url pattern="/changePassword.htm" access="ROLE_USER" />
<intercept-url pattern="/admin/**" access="ROLE_USER" />
<intercept-url pattern="/notifications/**" access="ROLE_ANONYMOUS,ROLE_USER" />
<intercept-url pattern="/logging/**" access="ROLE_USER" />
<form-login login-page="/login.htm" default-target-url="/admin/viewInstitutions.htm"
authentication-failure-url="/loginfailed.htm" />
<logout logout-success-url="/logout.htm" />
</http>
答案 0 :(得分:0)
requires-channel="https"属性中,或者只在您的身份验证入口点设置forceHttps=true 答案 1 :(得分:0)
我的heroku配置遇到了类似的问题,最后是 Heroku正在完成HTTPS连接并向应用服务器发送HTTP连接。
默认情况下,Spring Security中的失败和成功URL不包含服务器名称(即successHandler.defaultTargetUrl='/'或successHandler.ajaxSuccessUrl='/login/ajaxSuccess')。
这意味着当处理程序确定转发到(此处)的URL时:
它将使用请求构建绝对URL,如下所示:
我设法通过将grairect应用程序的redirectUrls定义为绝对来解决这个问题(但你可以很容易地将其转换为标准的Spring应用程序),它会像这样:
staging {
grails.serverURL = "https://staging.myapp.com"
grails.plugin.springsecurity.successHandler.defaultTargetUrl = "${grails.serverURL}/"
grails.plugin.springsecurity.successHandler.ajaxSuccessUrl = "${grails.serverURL}/login/ajaxSuccess"
grails.plugin.springsecurity.failureHandler.defaultFailureUrl = "${grails.serverURL}/login/authfail?login_error=1"
grails.plugin.springsecurity.failureHandler.ajaxAuthFailUrl = "${grails.serverURL}/login/authfail?ajax=true"
...
}