grails-spring-security-core

grails-spring-security-core copied to clipboard

Original Reporter: keithrz Environment: Not Specified Version: Grails-Spring-Security-Core 1.2.7.3 Migrated From: http://jira.grails.org/browse/GPSPRINGSECURITYCORE-317

We are currently using AWS ELB -> Apache in front of our Tomcat instance running Grails. We use Apache to redirect http requests to https requests. This works fine for us on our regular site. The issue arrives when trying to embed our site within an iframe on Chrome. Chrome does not like an https site redirecting to an http page (even if that page subsequently redirects to https). The reason this happens is that to Spring Security it looks like we're on http because we're behind a load balancer.

We need an ability to tell Spring Security that even though the saved request you receive is using http, we need you to change that to https once you complete the authentication.

It would be really nice to have a setting to tell the Grails Spring Security plugin to always either format the URLs as relative or force them to an https scheme so that we can run the application within an iframe in Chrome.

Our workaround was to override SecureRequestCache.

Gist: https://gist.github.com/joshuacalloway/ec3d5778f978059f5db9

StackOverflow: http://stackoverflow.com/questions/28747031/how-to-force-spring-security-to-make-https-redirect-requests-when-behind-a-load