This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.4.1!spring-doc.cn

HTTP

All HTTP-based communication should be protected using TLS.spring-doc.cn

This section discusses the details of servlet-specific features that assist with HTTPS usage.spring-doc.cn

Redirect to HTTPS

If a client makes a request using HTTP rather than HTTPS, you can configure Spring Security to redirect to HTTPS.spring-doc.cn

For example, the following Java or Kotlin configuration redirects any HTTP requests to HTTPS:spring-doc.cn

Redirect to HTTPS

Javaspring-doc.cn
Kotlinspring-doc.cn

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

	@Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http
			// ...
			.requiresChannel(channel -> channel
				.anyRequest().requiresSecure()
			);
		return http.build();
	}
}

@Configuration
@EnableWebSecurity
class SecurityConfig {

    @Bean
    open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            // ...
            requiresChannel {
                secure(AnyRequestMatcher.INSTANCE, "REQUIRES_SECURE_CHANNEL")
            }
        }
        return http.build()
    }
}

The following XML configuration redirects all HTTP requests to HTTPSspring-doc.cn

Redirect to HTTPS with XML Configuration

<http>
	<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
...
</http>

Strict Transport Security

Spring Security provides support for Strict Transport Security and enables it by default.spring-doc.cn

Proxy Server Configuration

Spring Security integrates with proxy servers.spring-doc.cn