HTTP

所有基于 HTTP 的通信应受 using TLS 保护。

All HTTP-based communication should be protected using TLS.

本节讨论了协助使用 HTTPS 的 servlet 特定功能的详细信息。

This section discusses the details of servlet-specific features that assist with HTTPS usage.

Redirect to HTTPS

如果客户端使用 HTTP 而非 HTTPS 发出请求，你可以配置 Spring Security 重定向到 HTTPS。

If a client makes a request using HTTP rather than HTTPS, you can configure Spring Security to redirect to HTTPS.

例如，以下 Java 或 Kotlin 配置将所有 HTTP 请求重定向到 HTTPS：

For example, the following Java or Kotlin configuration redirects any HTTP requests to HTTPS:

Redirect to HTTPS

Java
Kotlin

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

	@Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http
			// ...
			.requiresChannel(channel -> channel
				.anyRequest().requiresSecure()
			);
		return http.build();
	}
}

@Configuration
@EnableWebSecurity
class SecurityConfig {

    @Bean
    open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            // ...
            requiresChannel {
                secure(AnyRequestMatcher.INSTANCE, "REQUIRES_SECURE_CHANNEL")
            }
        }
        return http.build()
    }
}

以下 XML 配置将所有 HTTP 请求重定向到 HTTPS

The following XML configuration redirects all HTTP requests to HTTPS

Redirect to HTTPS with XML Configuration

<http>
	<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
...
</http>

Strict Transport Security

Spring Security 提供 Strict Transport Security 的支持并默认启用它。

Spring Security provides support for Strict Transport Security and enables it by default.

Proxy Server Configuration

Spring Security integrates with proxy servers 。

Spring Security integrates with proxy servers.