issue of accept HTTP connection behind a SSL enabled proxy

[clockrun]

Describe the bug
I'm running application on Kubernetes. Where SSL connection is handled on ingress (nginx) side, and java application is using HTTP. Now there are to situation:

1. by using default setup, because I'm not using SSL on java side, it tries to redirect me to http

2023-01-03 02:56:03.084 DEBUG 1 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Securing GET /somePath
--
Tue, Jan 3 2023 10:56:03 am | 2023-01-03 02:56:03.091 DEBUG 1 --- [nio-8080-exec-1] o.s.s.w.a.c.ChannelProcessingFilter : Request: filter invocation [GET /somePath]; ConfigAttributes: [REQUIRES_INSECURE_CHANNEL]
Tue, Jan 3 2023 10:56:03 am | 2023-01-03 02:56:03.091 DEBUG 1 --- [nio-8080-exec-1] o.s.s.w.a.c.RetryWithHttpEntryPoint : Redirecting to: http://example.com/somePath

becuase I set to redirect all http traffic to https on ingress, then this become endless redirect and causing error Error: Exceeded maxRedirects. Probably stuck in a redirect loop in the end
2. if i defined server.ssl.enabled=true, then I must generate and define certificate / keystore in java, which is not neccessary in my case

Code sample
Problematic code are as below

		if (isSsl) {
			http.requiresChannel().anyRequest().requiresSecure();
		} else {
			http.requiresChannel().anyRequest().requiresInsecure();
		}

Expected behavior
when using behind a SSL proxy and not using SSL on java side, do not reject connection or redirect

Additional context

[ch4mpy]

Will fix. If it's ok for you, I'll just drop the else clause and keep forcing https if SSL is enabled.

(P.S., you could use cert-manager and letsencrypt to provision certificates with well-known root authority and have end-to-end SSL connection, but I understand that forcing non https when SSL is disabled in Spring can be an issue)

[ch4mpy]

Just released 6.0.10. Please confirm it solves your issue (and close).

[clockrun]

Thanks for you quick fix.
Unfortunately I'm using spring boot 2.7, could you please apply this to 5.x branch?

BTW, I'm using cert bot to generate certificate automatically. But these are done from ingress nginx side. From java side, it is using non-encrypted communication.

[ch4mpy]

If at least one channel is not encrypted, then it's not end-to-end encryption ;)

I'll have look later this night (Tahiti time) to fix 5.x branch, but if you're using boot 2.7, then your have a foot in spring-security 5 and the other in spring security 6 (boot 2.7 stopped half way IMO...).

5.x branch will keep targeting boot 2.6 (but you can override that in your project, of course)

I suggest you bump to boot 3, it shouldn't be much of an effort (mostly search and replace javax with jakarta in your imports)

[clockrun]

Well, I'd like to use spring-boot 3. But some of my dependencies are still with old servlet package name. This is expected to be solved in next few weeks.

[ch4mpy]

I am releasing a 5.4.1. Please let us know how it goes with it boot 2.7 (and JDK >= 8).

[clockrun]

tested locally, by simply remove the else section it works.

[ch4mpy]

Both 5.4.1 (for JDK 1.8 and boot 2.6) and 6.0.10 (for JDK 17 and boot 3.0) are available from maven central. Please re-open if you can't get things working with one of those versions.