Grails - SSL and Spring security core

Question

I would like to have my application running exclusively with SSL turned on. I am using the Spring Security core plugin.

This is how I attempt to do it in Config.groovy:

grails.plugins.springsecurity.portMapper.httpPort = 8080
grails.plugins.springsecurity.portMapper.httpsPort = 8443
grails.plugins.springsecurity.secureChannel.definition = [ '/**' : 'REQUIRES_SECURE_CHANNEL']

I was expecting this to cause redirects every time I would try to access a Url using HTTP. However, I am never redirected, and can navigate through both HTTP and HTTPS. I may add I am starting my application using grails run-app -https

Am I getting this all wrong ?

Any suggestion is most welcome.

Answer 1

You don't have any wildcards, so the definition is literally matching the root URL (/), but nothing below it (/foo). What you want is:

grails.plugins.springsecurity.secureChannel.definition = [ '/**' : 'REQUIRES_SECURE_CHANNEL']
                                                             ^^

(You can clearly see the wildcards in the documentation :-)

Finally, if your server is behind a load balancer or other firewall that hides the protocol, check that same page for instructions on checking the header.

Answer 2

Do you have a custom filterchain declared in your config?

you might need to add 'channelProcessingFilter' to your chain in that case

http://static.springsource.org/spring-security/site/docs/3.0.x/reference/security-filter-chain.html

Answer 3

You can also try using the forceHttps option

grails.plugins.springsecurity.auth.forceHttps = true