HTTP

所有基于 HTTP 的通信,包括 static resources,都应该受到 using TLS的保护。

All HTTP-based communication, including static resources, should be protected by using TLS.

作为一个框架,Spring Security 不处理 HTTP 连接,因而无法直接提供对 HTTPS 的支持。然而,它确实提供了一些有助于 HTTPS 使用的功能。

As a framework, Spring Security does not handle HTTP connections and thus does not provide support for HTTPS directly. However, it does provide a number of features that help with HTTPS usage.

Redirect to HTTPS

当客户端使用 HTTP 时,你可以在 ServletWebFlux环境中配置 Spring Security 重定向到 HTTPS。

When a client uses HTTP, you can configure Spring Security to redirect to HTTPS in both Servlet and WebFlux environments.

Strict Transport Security

Spring Security 提供对 Strict Transport Security的支持,并在默认情况下启用它。

Spring Security provides support for Strict Transport Security and enables it by default.

Proxy Server Configuration

当使用代理服务器时,确保你已正确配置应用程序非常重要。例如,许多应用程序具有一个负载平衡器,它通过将请求转发至 https://192.168.0.107 处的应用程序服务器来响应该对于 https://example.com/ 的请求。如果没有进行适当的配置,应用程序服务器将不知道负载平衡器存在,并将此请求视为 https://192.168.0.107:8080 由客户端请求的。

When using a proxy server, it is important to ensure that you have configured your application properly. For example, many applications have a load balancer that responds to request for https://example.com/ by forwarding the request to an application server at https://192.168.0.107 Without proper configuration, the application server can not know that the load balancer exists and treats the request as though https://192.168.0.107:8080 was requested by the client.

要解决此问题,可以使用 RFC 7239指定正在使用负载均衡器。为使应用程序意识到这一点,您需要将应用程序服务器配置为识别 X-Forwarded 标头。例如,Tomcat 使用 RemoteIpValve且 Jetty 使用 ForwardedRequestCustomizer。或者,Spring 用户可以使用 Servlet 堆栈使用 ForwardedHeaderFilter或使用 Reactive 堆栈使用 ForwardedHeaderTransformer

To fix this, you can use RFC 7239 to specify that a load balancer is being used. To make the application aware of this, you need to configure your application server to be aware of the X-Forwarded headers. For example, Tomcat uses RemoteIpValve and Jetty uses ForwardedRequestCustomizer. Alternatively, Spring users can use ForwardedHeaderFilter with the Servlet stack or ForwardedHeaderTransformer with the Reactive stack.

Spring Boot 用户可以使用 `server.forward-headers-strategy`属性配置应用程序。有关更多详细信息,请参阅 Spring Boot documentation

Spring Boot users can use the server.forward-headers-strategy property to configure the application. See the Spring Boot documentation for further details.