Configuring HTTP pages and HTTPS pages with Spring Security

Question

I have successfully setup an application using Spring Security. When users request the secured pages, Spring automatically redirects these users to a HTTPS page.

<http auto-config="true" use-expressions="true" once-per-request="true" >
    <intercept-url pattern="/login" access="permitAll" requires-channel="https"/>
    <intercept-url pattern="/my-account" access="isAuthenticated()" requires-channel="https"/>

    <logout />
    <form-login login-page="/login" />
    <port-mappings>
        <port-mapping http="8080" https="8443"/>
        <port-mapping http="80" https="443"/>
    </port-mappings>
</http>

But when the users navigate, the next other pages that does not have sensitive information are still using HTTPS. I would like these normal pages accessed using just HTTP.

Is any intelligent way to do that? All the other pages that I do not configured as HTTPS channel I would like to be accessed using just HTTP. I tried to use some wildcards but without success.

Extra detail: HTTPS uses more server CPU. I have a lot of requests on some pages and I would like to avoid this extra cost.

Answer 1

In Spring-Security, you can do this way -

<http auto-config="true" use-expressions="true" once-per-request="true" >
<intercept-url pattern="/login" access="permitAll" requires-channel="https"/>
<intercept-url pattern="/my-account" access="isAuthenticated()" requires-channel="https"/>
<intercept-url pattern="/**" access="permitAll" requires-channel="http"/>

All other url's besides "/login" and "/my-account" will be served over http.

In addition to this, you must set the secure flag for the cookie. By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel. https://www.owasp.org/index.php/SecureFlag

Answer 2

Make your entire site HTTPS. Performance change is minimal these days and you won't screw over your users by exposing their session cookies over HTTP.

https://istlsfastyet.com/