負載平衡器,我們已經部署了正在終止SSL負載平衡器後面Tomcat上的Grails應用發揮很好(負載均衡,然後在端口8080 Tomcat實例通信)。我們已經配置SpringSecurity要求對所有資源的安全通道,從負載平衡器注意頭,迫使HTTPS和端口從負載均衡圖:如何獲得SpringSecurity/Grails的與被終止SSL
grails.plugin.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true
grails.plugin.springsecurity.auth.forceHttps = true
grails.plugin.springsecurity.portMapper.httpPort = 80
grails.plugin.springsecurity.portMapper.httpsPort = 443
grails.plugin.springsecurity.secureChannel.definition = [
'/**': 'REQUIRES_SECURE_CHANNEL'
]
大部分是正常工作 - 來自Grails內部的重定向正如預期的那樣使用https協議,以及大多數ajax請求。
但是也有一些Ajax請求是不正常工作。它們都與j_spring_security *端點(如j_spring_security_check)交互的結果有關。例如,如果用戶試圖通過AJAX登錄,我們得到這個錯誤在瀏覽器中(這是登錄成功啓動重定向):
Mixed Content: The page at 'https://www.servernamehere.com/' was loaded over HTTPS, but
requested an insecure XMLHttpRequest endpoint 'http://www.servernamehere.com/login/ajaxSuccess'.
This request has been blocked; the content must be served over HTTPS.
同樣的問題發生在不成功的身份驗證:
Mixed Content: The page at 'https://www.servernamehere.com/' was loaded over HTTPS, but requested
an insecure XMLHttpRequest endpoint 'http://www.servernamehere.com/login/authfail?ajax=true'.
This request has been blocked; the content must be served over https.
我們如何配置Spring Security明白,走出身份驗證事件的所有重定向需要爲https?
麥克,這裏有同樣的問題,你能張貼你做了什麼的例子?謝謝! – Arturo 2015-02-16 20:30:30
我遇到了完全相同的問題。你能舉一個例子嗎? – 2015-05-06 15:44:56