Antora
mkdir -p docs/modules/ROOT/ mkdir -p docs/modules/ROOT/pages/ git checkout antora-2.x docs/antora.yml git checkout antora-2.x docs/modules/ROOT/nav.adoc mv docs/manual/src/docs/asciidoc/images docs/modules/ROOT/ mv docs/manual/src/docs/asciidoc/_includes/* docs/modules/ROOT/pages/ cp ~/code/rwinch/spring-reference/*antora* ~/code/spring-projects/spring-security/ mv docs/modules/ROOT/pages/about docs/modules/ROOT/pages/overview
This commit is contained in:
Rob Winch
@@ -0,0 +1,87 @@
|
||||
[[webflux-http]]
|
||||
= HTTP
|
||||
|
||||
All HTTP based communication should be protected <<http,using TLS>>.
|
||||
|
||||
Below you can find details around WebFlux specific features that assist with HTTPS usage.
|
||||
|
||||
[[webflux-http-redirect]]
|
||||
== Redirect to HTTPS
|
||||
|
||||
If a client makes a request using HTTP rather than HTTPS, Spring Security can be configured to redirect to HTTPS.
|
||||
|
||||
For example, the following Java configuration will redirect any HTTP requests to HTTPS:
|
||||
|
||||
.Redirect to HTTPS
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
|
||||
http
|
||||
// ...
|
||||
.redirectToHttps(withDefaults());
|
||||
return http.build();
|
||||
}
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
|
||||
return http {
|
||||
// ...
|
||||
redirectToHttps { }
|
||||
}
|
||||
}
|
||||
----
|
||||
====
|
||||
|
||||
The configuration can easily be wrapped around an if statement to only be turned on in production.
|
||||
Alternatively, it can be enabled by looking for a property about the request that only happens in production.
|
||||
For example, if the production environment adds a header named `X-Forwarded-Proto` the following Java Configuration could be used:
|
||||
|
||||
.Redirect to HTTPS when X-Forwarded
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
|
||||
http
|
||||
// ...
|
||||
.redirectToHttps(redirect -> redirect
|
||||
.httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto"))
|
||||
);
|
||||
return http.build();
|
||||
}
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
|
||||
return http {
|
||||
// ...
|
||||
redirectToHttps {
|
||||
httpsRedirectWhen {
|
||||
it.request.headers.containsKey("X-Forwarded-Proto")
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
----
|
||||
====
|
||||
|
||||
[[webflux-hsts]]
|
||||
== Strict Transport Security
|
||||
|
||||
Spring Security provides support for <<servlet-headers-hsts,Strict Transport Security>> and enables it by default.
|
||||
|
||||
[[webflux-http-proxy-server]]
|
||||
== Proxy Server Configuration
|
||||
|
||||
Spring Security <<http-proxy-server,integrates with proxy servers>>.
|
||||
Reference in New Issue
Block a user