Skip to Content
0
Former Member
Aug 07, 2017 at 03:43 PM

Spring security works only on HTTPS

1155 Views

Hi,

I'm working on Hybris 6.4 and i'm facing about spring security issue.

When i'm trying to log on by using HTTPS protocol (https://localhost:9002/training/) it works perfectly.

alt text

But when i'm trying to log on by using HTTP protocol (http://localhost:9001/training/ ),the server redirect to http://localhost:9001/training/j_spring_security_check and answer with 403 status error.

alt text

Here my spring security config file.

 <beans:beans xmlns="http://www.springframework.org/schema/security"
              xmlns:beans="http://www.springframework.org/schema/beans"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://www.springframework.org/schema/security
            http://www.springframework.org/schema/security/spring-security.xsd
            http://www.springframework.org/schema/beans
            http://www.springframework.org/schema/beans/spring-beans.xsd"
 >
 
     <http pattern="/500.jsp" security="none" />
     <http pattern="/404.jsp" security="none" />
     <http pattern="/static/**" security="none" />
     
     <http auto-config="true" use-expressions="true">
         <session-management session-fixation-protection="none" />
         <intercept-url pattern="/login.jsp" access="isAnonymous()"/>
         <intercept-url pattern="/**" access="hasRole('ROLE_CUSTOMERGROUP')"/>
         <http-basic />
         <form-login 
             login-page="/login.jsp" 
             username-parameter="j_username"
             password-parameter="j_password"
             login-processing-url="/j_spring_security_check"
             authentication-failure-url="/login.jsp?login_error=1"
         />
         <remember-me services-ref="rememberMeServices" key="adminweb"/>
         <logout logout-url="/j_spring_security_logout" logout-success-url="/login.jsp"/>
         <csrf />
         <headers>
             <frame-options disabled="true"/>
         </headers>
     </http>
 
     <beans:bean id="fixation" class="de.hybris.platform.servicelayer.security.spring.HybrisSessionFixationProtectionStrategy">
         <beans:property name="migrateSessionAttributes" value="false"/>
     </beans:bean>
 
     <beans:bean id="rememberMeServices" class="de.hybris.platform.spring.security.CoreRememberMeService">
         <beans:property name="key" value="adminweb" />
         <beans:property name="cookieName" value="LoginToken" />
         <beans:lookup-method name="lookupUserDetailsService" bean="coreUserDetailsService" />
     </beans:bean>
 
     <authentication-manager>
         <authentication-provider ref="coreAuthenticationProvider"/>
     </authentication-manager>
 
     <beans:bean id="coreAuthenticationProvider" class="de.hybris.platform.spring.security.CoreAuthenticationProvider">
         <beans:property name="userDetailsService" ref="coreUserDetailsService" />
     </beans:bean>
 
     <beans:bean id="coreUserDetailsService" class="de.hybris.platform.spring.security.CoreUserDetailsService" />
 
 </beans:beans>

Here my web.xml file

 <?xml version="1.0" encoding="iso-8859-1"?>
 <!--
  [y] hybris Platform
 
  Copyright (c) 2017 SAP SE or an SAP affiliate company.  All rights reserved.
 
  This software is the confidential and proprietary information of SAP
  ("Confidential Information"). You shall not disclose such Confidential
  Information and shall use it only in accordance with the terms of the
  license agreement you entered into with SAP.
 -->
 
 <web-app id="scalp" version="3.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xmlns="http://java.sun.com/xml/ns/javaee"
          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
          metadata-complete="true">
     <absolute-ordering/>
 
     <display-name>scalp</display-name>
 
     <login-config>
         <auth-method>BASIC</auth-method>
     </login-config>
 
     <!-- Error pages -->
 
     <error-page>
         <error-code>500</error-code>
         <location>/500.jsp</location>
     </error-page>
 
     <error-page>
         <error-code>404</error-code>
         <location>/404.jsp</location>
     </error-page>
 
     <error-page>
         <error-code>405</error-code>
         <location>/405.jsp</location>
     </error-page>
 
     <error-page>
         <error-code>403</error-code>
         <location>/login.jsp?login_error=1</location>
     </error-page>
 
     <error-page>
         <error-code>401</error-code>
         <location>/login.jsp?login_error=1</location>
     </error-page>
 
     <filter>
         <filter-name>XSSFilter</filter-name>
         <filter-class>de.hybris.platform.servicelayer.web.XSSFilter</filter-class>
     </filter>
 
     <filter>
         <filter-name>characterEncodingFilter</filter-name>
         <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
         <init-param>
             <param-name>encoding</param-name>
             <param-value>UTF-8</param-value>
         </init-param>
         <init-param>
             <param-name>forceEncoding</param-name>
             <param-value>true</param-value>
         </init-param>
     </filter>
 
     <filter>
         <filter-name>scalpPlatformFilterChain</filter-name>
         <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
     </filter>
 
     <!-- Spring Security Filter - uncomment it if you want to secure your application -->
     <filter>
         <filter-name>springSecurityFilterChain</filter-name>
         <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
     </filter>
 
     <!-- Filter mappings -->
     <filter-mapping>
         <filter-name>XSSFilter</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>
 
     <filter-mapping>
         <filter-name>characterEncodingFilter</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>
 
     <filter-mapping>
         <filter-name>scalpPlatformFilterChain</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>
 
     <!-- Spring Security Filter mapping - uncomment it if you want to secure your application -->
     <filter-mapping>
         <filter-name>springSecurityFilterChain</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>
 
     <!--
         Enabling a Spring web application context with 'session' and 'request' scope.
         - The 'contextConfigLocation' papecifies where your configuration files are located.
         - The HybrisContextLoaderListener extends the usual SpringContextLoaderListener (which loads
           the context from specified location) by adding the global application context of
           the platform as parent context.
         - The RequestContextListener is needed for exposing the 'request' scope to the context.
           Furthermore it is needed when overriding the 'jalosession' bean for your web application.
      -->
     <context-param>
         <param-name>contextConfigLocation</param-name>
         <param-value>WEB-INF/config/scalp-web-app-config.xml</param-value>
     </context-param>
 
     <listener>
         <listener-class>de.hybris.platform.spring.HybrisContextLoaderListener</listener-class>
     </listener>
 
     <listener>
         <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
     </listener>
 
     <servlet>
         <servlet-name>springmvc</servlet-name>
         <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
         <init-param>
             <param-name>contextConfigLocation</param-name>
             <param-value>WEB-INF/config/scalp-spring-mvc-config.xml</param-value>
         </init-param>
         <load-on-startup>1</load-on-startup>
     </servlet>
 
     <servlet-mapping>
         <servlet-name>springmvc</servlet-name>
         <url-pattern>/</url-pattern>
     </servlet-mapping>
     
     <session-config>
         <session-timeout>120</session-timeout>
         <tracking-mode>COOKIE</tracking-mode>
     </session-config>
     
 </web-app> 
 

Attachments

9272-file1.png (57.9 kB)
9273-capture.png (75.4 kB)