server.port=8443 without SSL redirects login to 8080

[fmarot]

Hello,
I face a problem in my everyday job app that I have been able to reproduce easily in the official sample "spring-boot-sample-web-secure-custom" ( https://github.com/spring-projects/spring-boot/tree/master/spring-boot-samples/spring-boot-sample-web-secure-custom ).

In application.properties, if I set server.port=8443 (while keeping classic http protocol, no https at all), then when I try to open url http://127.0.0.1:8443/FOOBAR then I am redirected to url http://127.0.0.1:8080/login (see the port has changed !)

Any port other than 8443 seems to be fine.
As 443 is the HTTP_S_ port, there must be something hardcoded with 8443 somewhere.

In my own app, configuring https solves the problem. But I'd like users to be able to switch to http if they want without knowing that they also have to use a port other than 8443.

Thanks for the good job Spring Boot Team !

[philwebb]

/cc @rwinch

[rwinch]

@fmarot Thank you for the feedback.

This is due to Spring Security's PortResolverImpl which attempts to work around a well know IE bug. From the javadoc:

This class is capable of handling the IE bug which results in an incorrect URL being
presented in the header subsequent to a redirect to a different scheme and port where
the port is not a well-known number (ie 80 or 443). Handling involves detecting an
incorrect response from ServletRequest.getServerPort() for the scheme (eg
a HTTP request on 8443) and then determining the real server port (eg HTTP request is
really on 8080). The map of valid ports is obtained from the configured
PortMapper

If you want to use HTTP, the easiest solution is to select a port other than 8443 which is typically used for HTTPS and thus remapped to work around the IE bug.

[wilkinsona]

Thanks, @rwinch

[swaminagesh]

fmarot please wirte how u configure https to solve the problem of 8443 as soon as possible please please.
thank u so much in advance.

[barrycommins]

Hi,

I ran into the inverse of this problem, where I had configured ssl, but hadn't changed the default server.port from 8080

In this case, redirections go to port 8443.
I put together a little project to demonstrate it: https://github.com/barrycommins/spring-boot-ssl-redirect-bug

I understand this this is due to the IE bug, but it may be worth documenting that if you enable ssl that you need to change the value for server.port to something other than the default.

[jmatzen]

Yup I'm having the same issue. I'm constrained by a broken OAuth2 redirect config that I have no control over.

[hauntingEcho]

I just ran into this issue as well (with HTTPS configured to 8080) - log errors/warnings would be helpful if this case is triggered

[wilkinsona]

it may be worth documenting that if you enable ssl that you need to change the value for server.port to something other than the default.

It's a little more complicated than that as it only becomes a problem if you're also using Spring Security.

log errors/warnings would be helpful if this case is triggered

This is an interesting suggestion, but I think any change would be more broadly applicable if it was made in Spring Security. There's nothing Spring Boot-specific about the behaviour.