How to disable force HTTPS in tomcat based on header value - spring-boot

I've got a Spring boot application hosted on internal tomcat. We've enabled the below properties to force a redirect to HTTPS as a response.
server.use-forward-headers=true
server.tomcat.remote-ip-header=x-forwarded-for
server.tomcat.protocol-header=x-forwarded-proto
Now, I've a requirement to open this application for internal use as well and in this case, I should not force HTTPS in response.
I understand that I can use property
server.tomcat.internal-proxies=192\\.168\\.\\d{1,3}\\.\\d{1,3}
But I do not want to do this based on IP, rather want to use a specific value in the header.
Example: if header "X-Forwarded-Host" contains a value like "test.com.sg" --> then do NOT force HTTPS.
May I know how can I achieve this?

Related

Set X-Frame Options to allow in Spring Boot without spring security

I am building a small spring boot/ angular app that will be diplayed inside an iframe of another app. Basically a small tool for adding / editing contracts. I have not implemented spring security, because the whole authentication thing is done by the parent app. There is only 1 way to reach my app, through that another app. The parent app will send me the login and thats all.
The problem is, I cannot open my app inside the another, because of the x-frame-options: deny header. Is there a way to change this header without implementing the whole spring security thing. Or maybe implementing only the HttpSecurity part with disabling x-frame-options. Implementing the whole spring security would be an overkill for that small app, so I really hope there is some another option in spring boot, or maybe server side (WildFly 20).
I am using spring boot 2.7.0.
Thanks in advance.
If you implement Content-Security-Policy frame-ancestors directive it will override X-Frame-Options (Except for IE, which no longer should be a problem). You need to find a way to set the header in the same response as X-Frame-Options, this could likely be in code, webserver, proxy, or a load balancer. In the frame-ancestors directive, list the host names of all allowed hosts.

Setting a base url for urls generated by Spring

We've got a restful api running using spring which generates HATEOAS links. When I run the service locally, they are generated fine, but on our server, which hosts tomcat behind apache which proxies the app to /api/ (locally it's just run on /), the urls are still generated like the app is run on /.
Is there any way to tell spring to use a base url when generating these?
I've figured out my problem. Spring wasn't at fault. When building links, spring uses the X-Forwarded-Host, X-Forwarded-Ssl, etc. and, since 4.1.3, X-Forwarded-Prefix to correctly build urls that will be forwarded by a proxy. This last one however, is not automatically set by apache when proxying, so installing mod_headers and adding RequestHeader set X-Forwarded-Prefix "api"to my LocationMatch directive solved everything.

Force to use https instead of http with spring-ws

How will you force http connection to use https when clients try to connect to the server using spring-ws? I have seen some examples that uses WebSecurityConfigurerAdapter, but what is the best way of doing it for annotation based (No XML configuration file exists) spring-ws?
That really depends on the container you're running Spring-WS in. For instance, in Tomcat, you have to put a security constraint in your web.xml.
Actually I ended up using Spring EndpointInterceptors to accomplish this. Here is one example I referred to:http://spring-webservice-2-step-by-step.blogspot.com/2011/12/spring-web-services-20-step-by-step.html

Modify ldap provider url without restarting the spring security application

we are providing facility to customer to configure ldap server runtime. But when i modify provider server url used in constructor of context source, the application crashes. Is there any way to change ldap server url at runtime? for LdapAuthenticationProvider.
If this is a case where you are changing the provider because one may be down for some reason, you should set up multiple authentication providers (security:authentication-provider) in your spring-security config file. Spring-security will start at the top of the list & keep trying until it finds one that works. That way you can leave this setup & not have a need to redeploy your code.

Spring integration. Want to use HTTPS

I'm using Spring Integration - HTTP Adaptor.
Now, I want to make it HTTPS. Please let me know how to implement it.
If you mean on the client (outbound) side, simply use an https://... url.
If you mean on the server (inbound) side, then configure your servlet container to use SSL.

Resources