负载平衡器,我们已经部署了正在终止SSL负载平衡器后面Tomcat上的Grails应用发挥很好(负载均衡,然后在端口8080 Tomcat实例通信)。我们已经配置SpringSecurity要求对所有资源的安全通道,从负载平衡器注意头,迫使HTTPS和端口从负载均衡图:如何获得SpringSecurity/Grails的与被终止SSL
grails.plugin.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true
grails.plugin.springsecurity.auth.forceHttps = true
grails.plugin.springsecurity.portMapper.httpPort = 80
grails.plugin.springsecurity.portMapper.httpsPort = 443
grails.plugin.springsecurity.secureChannel.definition = [
'/**': 'REQUIRES_SECURE_CHANNEL'
]
大部分是正常工作 - 来自Grails内部的重定向正如预期的那样使用https协议,以及大多数ajax请求。
但是也有一些Ajax请求是不正常工作。它们都与j_spring_security *端点(如j_spring_security_check)交互的结果有关。例如,如果用户试图通过AJAX登录,我们得到这个错误在浏览器中(这是登录成功启动重定向):
Mixed Content: The page at 'https://www.servernamehere.com/' was loaded over HTTPS, but
requested an insecure XMLHttpRequest endpoint 'http://www.servernamehere.com/login/ajaxSuccess'.
This request has been blocked; the content must be served over HTTPS.
同样的问题发生在不成功的身份验证:
Mixed Content: The page at 'https://www.servernamehere.com/' was loaded over HTTPS, but requested
an insecure XMLHttpRequest endpoint 'http://www.servernamehere.com/login/authfail?ajax=true'.
This request has been blocked; the content must be served over https.
我们如何配置Spring Security明白,走出身份验证事件的所有重定向需要为https?
麦克,这里有同样的问题,你能张贴你做了什么的例子?谢谢! – Arturo 2015-02-16 20:30:30
我遇到了完全相同的问题。你能举一个例子吗? – 2015-05-06 15:44:56