Spring Security - HTTP/HTTPS Channel Security

[Updated: Jan 24, 2018, Created: Jan 23, 2018]

Spring Security supports both HTTP and HTTPS. In our application, we can specify particular URL pattern which can only be accessed over HTTPS. That means even if a user attempts to access those URLs using HTTP, it will be redirected to the HTTPS.


Java Config class

public class AppConfig extends WebSecurityConfigurerAdapter {

  protected void configure(HttpSecurity http) throws Exception {
          //following enables https for the specified URL pattern

  public void configure(AuthenticationManagerBuilder builder)
          throws Exception {

  public PasswordEncoder passwordEncoder() {
      return new BCryptPasswordEncoder();

  public ViewResolver viewResolver() {
      InternalResourceViewResolver vr = new InternalResourceViewResolver();
      return vr;


public class MyController {

  @RequestMapping(value = {"/users/**","/quests/**"})
  public String handleRequest(HttpServletRequest request, Model model) {
      Authentication auth = SecurityContextHolder.getContext()
      model.addAttribute("uri", request.getRequestURI())
           .addAttribute("user", auth.getName())
           .addAttribute("roles", auth.getAuthorities());
      return "my-page";



<%@ taglib prefix="c" uri=""%>
<html lang="en">
 <p>URI: ${uri} <br/>
 User :  ${user} <br/>
 roles:  ${roles} <br/><br/>
 <a href="http://localhost:8080/users/">/users/</a><br/>
 <a href="http://localhost:8080/quests/">/quests/</a><br/><br/>
 <form action="/logout" method="post">
     <input type="hidden"
  <input type="submit" value="Logout">

As seen above, both links' href attributes are specified with 'http'. Clicking on /users/, however, will be redirected to 'https' per our Java config.

Configuring tomcat7-maven-plugin to use HTTPS

For testing purpose or even in dev environment, we can configure tomcat7-maven-plugin to access HTTPS URLs:


The keystore file should be created by keytool at the location specified above by <keystoreFile/>. Checkout this tutorial for details.

Running the example application

To try examples, run embedded tomcat (configured in pom.xml of example project below):

mvn tomcat7:run-war


Entering 'localhost:8080/quests/' in the address bar:

Clicking on '/users/' will be redirected to 'https' and as we have configured this URL to be accessed only by 'USER' role, login form will be shown at first access:

Note that Chrome shows 'Not secure' warning for self-signed certificate. For a real production application, we should get the certificate from a certificate authority.

Entering valid user/password and clicking on 'Login' button:

Clicking on /quests/:

'/quests/' can also be accessed via https. Entering 'https://localhost:8443/quests/' in the address bar:

Example Project

Dependencies and Technologies Used:

  • spring-security-web 5.0.0.RELEASE: spring-security-web.
  • spring-security-config 5.0.0.RELEASE: spring-security-config.
  • spring-webmvc 5.0.0.RELEASE: Spring Web MVC.
  • javax.servlet-api 3.1.0 Java Servlet API
  • jstl 1.2 javax.servlet:jstl
  • JDK 1.8
  • Maven 3.3.9

HTTP/HTTPS Channel Security Example Select All Download
  • spring-https-channel-security
    • src
      • main
        • java
          • com
            • logicbig
              • example
        • webapp
          • WEB-INF
            • views

See Also