spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.8k stars 5.9k forks source link

Add require-ssl flag for webflux apps #5362

Open dyroberts opened 6 years ago

dyroberts commented 6 years ago

Summary

Add require-ssl flag for webflux apps

Configuration

Something like...

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
  http.requiresChannel()
    .anyExchange()
      .requiresSecure();
}
winster commented 4 years ago

I agree. With spring-boot-starter-webflux, netty server does not seem to check server.ssl.enabed=true Still http requests are being intercepted though a netty exception is raised 'unknown_ca'. I would like to get the similar behavior of tomcat. Tomcat respects above configuration and you get error bad request this combination of host and port requires tls, without flooding the logs with the exception. Though I can use spring-boot-starter-webflux and spring-boot-starter-web together to make tomcat the default server, there are some problems especially when I build a webclient bean with spring security. Exact error is ReactiveClientRegistrationRepository could not be found. It is not a problem with configuration property as it works if there was only spring-boot-starter-webflux and not both