
Spring mvc 3 - HTTPS access

开发者 https://www.devze.com 2023-02-26 12:03 出处:网络
How can I force a page to be accessed via HTTPS only. Need to do this v开发者_如何学编程ia Spring MVC 3 configuration file. Spring-security has such a configuration. see here for how to do it. In shor

How can I force a page to be accessed via HTTPS only. Need to do this v开发者_如何学编程ia Spring MVC 3 configuration file.

Spring-security has such a configuration. see here for how to do it. In short - you force the channel to use https:

    <intercept-url pattern="/secure/**" access="ROLE_USER" 
    <intercept-url pattern="/**" access="ROLE_USER" 

If you don't want to use spring-security, here's an interceptor that I wrote:

public class SslInterceptor extends HandlerInterceptorAdapter {

    // no need to inject it for now..
    private PathMatcher pathMatcher = new AntPathMatcher();

    private String secureRoot;

    private List<String> secureLocations;

    private boolean useSsl;

    public boolean preHandle(HttpServletRequest request,
            HttpServletResponse response, Object handler) throws Exception {

        if (useSsl && !request.isSecure() && shouldForceSecure(request.getRequestURI())) {

            String redirectUrl = secureRoot + request.getRequestURI();
            if (request.getQueryString() != null) {
                redirectUrl += "?" + request.getQueryString();
            // force session creation - thus it will be accessible to both the
            // secure and the insecure contexts
            return false;

        return true;

    private boolean shouldForceSecure(String path) {
        for (String pattern : secureLocations) {
            if (pathMatcher.match(pattern, path)) {
                return true;
        return false;

For an annotation based approach without spring security I wrote an interceptor and a new annotation:

 * Request mapping annotation to enforce secure or insecure requests.
 * Per default the annotated mapping is enforced to be secure.
 * @see org.springframework.web.bind.annotation.RequestMapping
@Target({ElementType.METHOD, ElementType.TYPE})
public @interface RequestProtocol {

  boolean secure() default true;

So you can simply declare a (here for REST) controller method like this:

@RequestMapping(value = "/secret", method = RequestMethod.GET)
@RequestProtocol(secure = true)
public Result doSecure(@Valid Model model) {
  return doSomething(model));

To enable the mapping use an interceptor redirecting on the wrong protocol. You could also do a more simple handling by just sending a FORBIDDEN response.

 * Interceptor to send a redirect on security enforced mappings with wrong type of request.
 * @see RequestProtocol
class RequestProtocolInterceptor extends HandlerInterceptorAdapter {

  private static final int PORT_DIFF = 443 - 80;

  public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws IOException {
    Boolean secure = checkSecure(handler);
    if (secure != null && request.isSecure() != secure) {
      response.sendRedirect(switchSecure(secure, request.getRequestURL()));
      return false;
    return true;

  private Boolean checkSecure(Object handler) {
    if (handler instanceof HandlerMethod) {
      HandlerMethod method = (HandlerMethod)handler;
      RequestProtocol annotation = method.getMethodAnnotation(RequestProtocol.class);
      if (annotation == null) {
        annotation = AnnotationUtils.findAnnotation(method.getBeanType(), RequestProtocol.class);
      return annotation == null ? null : annotation.secure();
    return null;

  private String switchSecure(boolean secure, StringBuffer url) {
    int endSchema = url.indexOf("://");
    url.replace(0, endSchema, secure ? "https" : "http");
    int startPort = url.indexOf(":", endSchema + 3);
    if (startPort != -1) {
      int endPort = url.indexOf("/", startPort);
      int port = Integer.parseInt(url.substring(startPort + 1, endPort));
      port += secure ? PORT_DIFF : -PORT_DIFF;
      url.replace(startPort + 1, endPort, String.valueOf(port));
    return url.toString();

To enable the interceptor on a pure annotation based Spring config, use the WebMvcConfigurerAdapter:

public class MyConfiguration extends WebMvcConfigurerAdapter {

  public void addInterceptors(InterceptorRegistry registry) {
    registry.addInterceptor(new RequestProtocolInterceptor());

You can do it in your Tomcat config.

try adding redirectPort="" in server.xml to the HTTP connector.

Hope it helps.


This article will explain you how to deal with SSL and has a lot of an examples.




验证码 换一张
取 消