Document Proxy Server Configuration

[balaji-katika]

Summary

Infinite loop occurs in commence method for Load Balancer (LB) based deployment

Actual Behavior

When useForward is true, the below if check runs in infinite loop as the https requests received by the LB is forwarded to the webserver as http
if (forceHttps && "http".equals(request.getScheme())) {
// First redirect the current request to HTTPS.
// When that request is received, the forward to the login page will be used.
redirectUrl = buildHttpsRedirectUrlForRequest(request);
}

Expected Behavior

if condition above could use the header Forward-proto or X-Forward-proto (Refer https://tools.ietf.org/html/rfc7239#page-7) to determine if the server has a proxy or LB configured. Not all LB adds this header and hence can't always be relied on. Instead an additional boolean param should be provided with this class for users to allow skiping this check for such deployments.

Configuration

<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <property name="forceHttps" value="true"></property>
    <property name="useForward" value="true"></property>
</bean>

Version

spring-security-web-3.2.4.RELEASE

Sample

Refer the config above

[rwinch]

Thanks for the report.

To solve this you either need to configure your container for a proxy server (i.e. Tomcat's RemoteIpValve) or in Spring 4.3+ you can use ForwardedHeaderFilter.

I updated the documentation to include this information. See0c35209d77660f397e0ca3f71a7815aebd6858bc