Skip to content

Commit 2d96fba

Browse files
jzheauxjzheaux
committed
Add HttpsRedirectFilter
Closes gh-16678
1 parent ec19efb commit 2d96fba

File tree

2 files changed

+281
-0
lines changed

2 files changed

+281
-0
lines changed

web/src/main/java/org/springframework/security/web/transport/HttpsRedirectFilter.java

Lines changed: 112 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,112 @@
1+
/*
2+
* Copyright 2002-2025 the original author or authors.
3+
*
4+
* Licensed under the Apache License, Version 2.0 (the "License");
5+
* you may not use this file except in compliance with the License.
6+
* You may obtain a copy of the License at
7+
*
8+
* https://www.apache.org/licenses/LICENSE-2.0
9+
*
10+
* Unless required by applicable law or agreed to in writing, software
11+
* distributed under the License is distributed on an "AS IS" BASIS,
12+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
* See the License for the specific language governing permissions and
14+
* limitations under the License.
15+
*/
16+
17+
package org.springframework.security.web.transport;
18+
19+
import java.io.IOException;
20+
21+
import jakarta.servlet.FilterChain;
22+
import jakarta.servlet.ServletException;
23+
import jakarta.servlet.http.HttpServletRequest;
24+
import jakarta.servlet.http.HttpServletResponse;
25+
26+
import org.springframework.security.web.DefaultRedirectStrategy;
27+
import org.springframework.security.web.PortMapper;
28+
import org.springframework.security.web.PortMapperImpl;
29+
import org.springframework.security.web.RedirectStrategy;
30+
import org.springframework.security.web.util.UrlUtils;
31+
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
32+
import org.springframework.security.web.util.matcher.RequestMatcher;
33+
import org.springframework.util.Assert;
34+
import org.springframework.web.filter.OncePerRequestFilter;
35+
import org.springframework.web.util.UriComponents;
36+
import org.springframework.web.util.UriComponentsBuilder;
37+
38+
/**
39+
* Redirects any non-HTTPS request to its HTTPS equivalent.
40+
*
41+
* <p>
42+
* Can be configured to use a {@link RequestMatcher} to narrow which requests get
43+
* redirected.
44+
*
45+
* <p>
46+
* Can also be configured for custom ports using {@link PortMapper}.
47+
*
48+
* @author Josh Cummings
49+
* @since 6.5
50+
*/
51+
public final class HttpsRedirectFilter extends OncePerRequestFilter {
52+
53+
private PortMapper portMapper = new PortMapperImpl();
54+
55+
private RequestMatcher requestMatcher = AnyRequestMatcher.INSTANCE;
56+
57+
private final RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
58+
59+
@Override
60+
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
61+
throws ServletException, IOException {
62+
if (!isInsecure(request)) {
63+
chain.doFilter(request, response);
64+
return;
65+
}
66+
if (!this.requestMatcher.matches(request)) {
67+
chain.doFilter(request, response);
68+
return;
69+
}
70+
String redirectUri = createRedirectUri(request);
71+
this.redirectStrategy.sendRedirect(request, response, redirectUri);
72+
}
73+
74+
/**
75+
* Use this {@link PortMapper} for mapping custom ports
76+
* @param portMapper the {@link PortMapper} to use
77+
*/
78+
public void setPortMapper(PortMapper portMapper) {
79+
Assert.notNull(portMapper, "portMapper cannot be null");
80+
this.portMapper = portMapper;
81+
}
82+
83+
/**
84+
* Use this {@link RequestMatcher} to narrow which requests are redirected to HTTPS.
85+
*
86+
* The filter already first checks for HTTPS in the uri scheme, so it is not necessary
87+
* to include that check in this matcher.
88+
* @param requestMatcher the {@link RequestMatcher} to use
89+
*/
90+
public void setRequestMatcher(RequestMatcher requestMatcher) {
91+
Assert.notNull(requestMatcher, "requestMatcher cannot be null");
92+
this.requestMatcher = requestMatcher;
93+
}
94+
95+
private boolean isInsecure(HttpServletRequest request) {
96+
return !"https".equals(request.getScheme());
97+
}
98+
99+
private String createRedirectUri(HttpServletRequest request) {
100+
String url = UrlUtils.buildFullRequestUrl(request);
101+
UriComponentsBuilder builder = UriComponentsBuilder.fromUriString(url);
102+
UriComponents components = builder.build();
103+
int port = components.getPort();
104+
if (port > 0) {
105+
Integer httpsPort = this.portMapper.lookupHttpsPort(port);
106+
Assert.state(httpsPort != null, () -> "HTTP Port '" + port + "' does not have a corresponding HTTPS Port");
107+
builder.port(httpsPort);
108+
}
109+
return builder.scheme("https").toUriString();
110+
}
111+
112+
}

web/src/test/java/org/springframework/security/web/transport/HttpsRedirectFilterTests.java

Lines changed: 169 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,169 @@
1+
/*
2+
* Copyright 2002-2025 the original author or authors.
3+
*
4+
* Licensed under the Apache License, Version 2.0 (the "License");
5+
* you may not use this file except in compliance with the License.
6+
* You may obtain a copy of the License at
7+
*
8+
* https://www.apache.org/licenses/LICENSE-2.0
9+
*
10+
* Unless required by applicable law or agreed to in writing, software
11+
* distributed under the License is distributed on an "AS IS" BASIS,
12+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
* See the License for the specific language governing permissions and
14+
* limitations under the License.
15+
*/
16+
17+
package org.springframework.security.web.transport;
18+
19+
import jakarta.servlet.FilterChain;
20+
import jakarta.servlet.http.HttpServletRequest;
21+
import jakarta.servlet.http.HttpServletResponse;
22+
import org.junit.jupiter.api.BeforeEach;
23+
import org.junit.jupiter.api.Test;
24+
import org.junit.jupiter.api.extension.ExtendWith;
25+
import org.mockito.Mock;
26+
import org.mockito.junit.jupiter.MockitoExtension;
27+
28+
import org.springframework.http.HttpHeaders;
29+
import org.springframework.mock.web.MockHttpServletRequest;
30+
import org.springframework.mock.web.MockHttpServletResponse;
31+
import org.springframework.security.web.PortMapper;
32+
import org.springframework.security.web.util.matcher.RequestMatcher;
33+
import org.springframework.web.util.UriComponents;
34+
import org.springframework.web.util.UriComponentsBuilder;
35+
36+
import static org.assertj.core.api.Assertions.assertThat;
37+
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
38+
import static org.assertj.core.api.Assertions.assertThatIllegalStateException;
39+
import static org.mockito.ArgumentMatchers.any;
40+
import static org.mockito.BDDMockito.given;
41+
import static org.mockito.Mockito.mock;
42+
import static org.mockito.Mockito.verify;
43+
44+
/**
45+
* Tests for {@link HttpsRedirectFilter}
46+
*
47+
* @author Josh Cummings
48+
*/
49+
@ExtendWith(MockitoExtension.class)
50+
public class HttpsRedirectFilterTests {
51+
52+
HttpsRedirectFilter filter;
53+
54+
@Mock
55+
FilterChain chain;
56+
57+
@BeforeEach
58+
public void configureFilter() {
59+
this.filter = new HttpsRedirectFilter();
60+
}
61+
62+
@Test
63+
public void filterWhenRequestIsInsecureThenRedirects() throws Exception {
64+
HttpServletRequest request = get("http://localhost");
65+
HttpServletResponse response = ok();
66+
this.filter.doFilter(request, response, this.chain);
67+
assertThat(statusCode(response)).isEqualTo(302);
68+
assertThat(redirectedUrl(response)).isEqualTo("https://localhost");
69+
}
70+
71+
@Test
72+
public void filterWhenExchangeIsSecureThenNoRedirect() throws Exception {
73+
HttpServletRequest request = get("https://localhost");
74+
HttpServletResponse response = ok();
75+
this.filter.doFilter(request, response, this.chain);
76+
assertThat(statusCode(response)).isEqualTo(200);
77+
}
78+
79+
@Test
80+
public void filterWhenExchangeMismatchesThenNoRedirect() throws Exception {
81+
RequestMatcher matcher = mock(RequestMatcher.class);
82+
this.filter.setRequestMatcher(matcher);
83+
HttpServletRequest request = get("http://localhost:8080");
84+
HttpServletResponse response = ok();
85+
this.filter.doFilter(request, response, this.chain);
86+
assertThat(statusCode(response)).isEqualTo(200);
87+
}
88+
89+
@Test
90+
public void filterWhenExchangeMatchesAndRequestIsInsecureThenRedirects() throws Exception {
91+
RequestMatcher matcher = mock(RequestMatcher.class);
92+
given(matcher.matches(any())).willReturn(true);
93+
this.filter.setRequestMatcher(matcher);
94+
HttpServletRequest request = get("http://localhost:8080");
95+
HttpServletResponse response = ok();
96+
this.filter.doFilter(request, response, this.chain);
97+
assertThat(statusCode(response)).isEqualTo(302);
98+
assertThat(redirectedUrl(response)).isEqualTo("https://localhost:8443");
99+
verify(matcher).matches(any(HttpServletRequest.class));
100+
}
101+
102+
@Test
103+
public void filterWhenRequestIsInsecureThenPortMapperRemapsPort() throws Exception {
104+
PortMapper portMapper = mock(PortMapper.class);
105+
given(portMapper.lookupHttpsPort(314)).willReturn(159);
106+
this.filter.setPortMapper(portMapper);
107+
HttpServletRequest request = get("http://localhost:314");
108+
HttpServletResponse response = ok();
109+
this.filter.doFilter(request, response, this.chain);
110+
assertThat(statusCode(response)).isEqualTo(302);
111+
assertThat(redirectedUrl(response)).isEqualTo("https://localhost:159");
112+
verify(portMapper).lookupHttpsPort(314);
113+
}
114+
115+
@Test
116+
public void filterWhenRequestIsInsecureAndNoPortMappingThenThrowsIllegalState() {
117+
HttpServletRequest request = get("http://localhost:1234");
118+
HttpServletResponse response = ok();
119+
assertThatIllegalStateException().isThrownBy(() -> this.filter.doFilter(request, response, this.chain));
120+
}
121+
122+
@Test
123+
public void filterWhenInsecureRequestHasAPathThenRedirects() throws Exception {
124+
HttpServletRequest request = get("http://localhost:8080/path/page.html?query=string");
125+
HttpServletResponse response = ok();
126+
this.filter.doFilter(request, response, this.chain);
127+
assertThat(statusCode(response)).isEqualTo(302);
128+
assertThat(redirectedUrl(response)).isEqualTo("https://localhost:8443/path/page.html?query=string");
129+
}
130+
131+
@Test
132+
public void setRequiresTransportSecurityMatcherWhenSetWithNullValueThenThrowsIllegalArgument() {
133+
assertThatIllegalArgumentException().isThrownBy(() -> this.filter.setRequestMatcher(null));
134+
}
135+
136+
@Test
137+
public void setPortMapperWhenSetWithNullValueThenThrowsIllegalArgument() {
138+
assertThatIllegalArgumentException().isThrownBy(() -> this.filter.setPortMapper(null));
139+
}
140+
141+
private String redirectedUrl(HttpServletResponse response) {
142+
return response.getHeader(HttpHeaders.LOCATION);
143+
}
144+
145+
private int statusCode(HttpServletResponse response) {
146+
return response.getStatus();
147+
}
148+
149+
private HttpServletRequest get(String uri) {
150+
UriComponents components = UriComponentsBuilder.fromUriString(uri).build();
151+
MockHttpServletRequest request = new MockHttpServletRequest("GET", components.getPath());
152+
request.setQueryString(components.getQuery());
153+
if (components.getScheme() != null) {
154+
request.setScheme(components.getScheme());
155+
}
156+
int port = components.getPort();
157+
if (port != -1) {
158+
request.setServerPort(port);
159+
}
160+
return request;
161+
}
162+
163+
private HttpServletResponse ok() {
164+
MockHttpServletResponse response = new MockHttpServletResponse();
165+
response.setStatus(200);
166+
return response;
167+
}
168+
169+
}

0 commit comments

Comments
 (0)