我有一个仅在端口8080上运行仅使用SSL(不允许使用HTTP)的Web应用程序:
server:
ssl:
key-store-type: PKCS12
key-store: file:${SERVER_KEYSTORE_PATH}
key-store-password: ${SERVER_CERT_PASSWORD}
port: 8080
启动应用程序时,我在日志中看到:
2020-03-17 17:32:29.836 INFO 90960 --- [main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8080 (https)
我的一个端点(实际上是根端点)受到Spring Security OAuth2的保护:
@Override
protected void configure(HttpSecurity http) throws Exception {
String baseURI = redirectURI.substring(redirectURI.lastIndexOf("/"));
http.csrf().disable()
.authorizeRequests()
.antMatchers("/").authenticated()
.antMatchers("/**").permitAll()
.and()
.oauth2Login()
.defaultSuccessUrl("/")
.redirectionEndpoint().baseUri(baseURI);
}
问题是,当我转到https://localhost:8080时,它会将我重定向到https://localhost:8443/oauth2/authorization/oauth。因此,由于某些原因,端口8080被8443覆盖。
据我从类似的问题了解到,这是因为Tomcat试图将用户从纯端点(http)重定向到启用SSL的端点(https)。但是我的端点已经启用了SSL,所以我真的不明白为什么会这样。如果我转到任何其他端点,则可与https和8080端口一起使用-因此,只有受保护的端点才有问题。
我试图用TomcatServletWebServerFactory自定义ConnectorCustomizers并将那里的重定向端口设置为8080,但这没有帮助。
关于如何禁用此无用重定向的任何想法?
根据https://github.com/spring-projects/spring-security/issues/8140#issuecomment-600980028:
@Override
protected void configure(HttpSecurity http) throws Exception {
PortMapperImpl portMapper = new PortMapperImpl();
portMapper.setPortMappings(Collections.singletonMap("8080","8080"));
PortResolverImpl portResolver = new PortResolverImpl();
portResolver.setPortMapper(portMapper);
LoginUrlAuthenticationEntryPoint entryPoint = new LoginUrlAuthenticationEntryPoint(
"/login");
entryPoint.setPortMapper(portMapper);
entryPoint.setPortResolver(portResolver);
http
.exceptionHandling()
.authenticationEntryPoint(entryPoint)
.and()
//...
;
}