I have a Grails app using Spring Security Core running on an AWS machine behind a load balancer.
The load balancer decrypts the ssl connections and forwards to port 8080 of our instance adding appropriate X-Forwarded-Proto headers.
I would like any direct access to a secured page to redirect to the login page using https.
For example a request https://myapp.com/private/page should redirect to https://myapp.com/login/auth
I put this in my config.groovy:
grails.plugin.springsecurity.secureChannel.definition = [
'/login/**': 'REQUIRES_SECURE_CHANNEL'
]
but this causes a redirect loop (HTTP code 302) to the http login page (http://myapp.com/login/auth)
Then I tried just with:
grails.plugin.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true
grails.plugin.springsecurity.auth.forceHttps = true
but this causes a redirect (HTTP code 302) to the http login page (http://myapp.com/login/auth)
- The issue is presentig just with the production setup (war deployed to Tomcat behind the load balancer).
- If I test the same config.groovy on my loacal dev machine the redirect to https://myapp.com/login/auth happens just fine.
- I tried to specify a different httpsPort for spring security, again it works on my local dev machine but it is completely ignored in the deployed app that keeps redirecting to http
No luck lurking at similar posts, any idea?
Best Answer
I also am hosting my Grails app with Spring Security Core 2.0-RC4 on AWS with https and a load balancer, and thanks to spock99 (above) and Ravi L of AWS, I got it working.
I did the following in config.groovy:
NOTE: The following were not needed in Spring Security Core 2.0-RC4 - they are already in DefaultSecurityConfig.groovy
I was getting false 'Unhealthy' readings because hitting '/' returns a 302 redirect to /login/auth, so I added a health() method to HomeController (which I mapped to '/health') for AWS to hit:
Key for me was that session cookies were not being handled properly with multiple instance running on the Load Balancer (I did not discover this until setting the minimum instance to 2), so in order for users to be able to log in and stay logged in, I did the following on AWS: