This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.4.1!spring-doc.cn

HTTP

All HTTP based communication should be protected using TLS.spring-doc.cn

Below you can find details around Servlet specific features that assist with HTTPS usage.spring-doc.cn

Redirect to HTTPS

If a client makes a request using HTTP rather than HTTPS, Spring Security can be configured to redirect to HTTPS.spring-doc.cn

For example, the following Java configuration will redirect any HTTP requests to HTTPS:spring-doc.cn

Redirect to HTTPS
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

	@Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http
			// ...
			.requiresChannel(channel -> channel
				.anyRequest().requiresSecure()
			);
		return http.build();
	}
}
@Configuration
@EnableWebSecurity
class SecurityConfig {

    @Bean
    open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            // ...
            requiresChannel {
                secure(AnyRequestMatcher.INSTANCE, "REQUIRES_SECURE_CHANNEL")
            }
        }
        return http.build()
    }
}

The following XML configuration will redirect all HTTP requests to HTTPSspring-doc.cn

Redirect to HTTPS with XML Configuration
<http>
	<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
...
</http>

Strict Transport Security

Spring Security provides support for Strict Transport Security and enables it by default.spring-doc.cn

Proxy Server Configuration