Grails on Heroku - spring security core secureChannel.definition causes redirect loop

Question

There were a handful of questions last year around this same topic:

Grails application on Heroku with ssl

grails - spring-security-core secure-channel causing redirect loop (on Heroku)

grails - simple App to test spring-security-core secure-channel on Heroku

But no satisfactory answers seemed to crop up at the time.

I'm running a 2.24 Grails app on heroku, using the Spring security plugin (1.2.7.3).

Attempting to use:

 grails.plugins.springsecurity.secureChannel.definition = [
 '/myAccount/**':         'REQUIRES_SECURE_CHANNEL',
 ]

causes a redirect loop to occur for that url mapping.

My Coonfig.groovy contains:

  grails.plugins.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true#

In one of the questions linked above, Burt mentioned that

 grails.plugins.springsecurity.portMapper.httpPort
 grails.plugins.springsecurity.portMapper.httpPort

probably need to be changed, but I can't find any documentation anywhere to sugegst what ports should be used for Heroku - i've tried using 80 for http and 443 for https, but get the same problem.

Has anyone succesfully got this working at any point?

Answer 1

It looks like this was down to The Spring Security plugin using the wrong case for 'x-forwarded-proto' when

 grails.plugins.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true 

is set.

Adding this to my config.groovy solved the issue

grails.plugins.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true
grails.plugins.springsecurity.portMapper.httpPort = 80
grails.plugins.springsecurity.portMapper.httpsPort = 443
grails.plugins.springsecurity.secureChannel.secureHeaderName = 'X-FORWARDED-PROTO'
grails.plugins.springsecurity.secureChannel.secureHeaderValue = 'http'

grails.plugins.springsecurity.secureChannel.insecureHeaderName = 'X-FORWARDED-PROTO'
grails.plugins.springsecurity.secureChannel.insecureHeaderValue = 'https'