Test

.gcp.env

@@ -1,4 +1,4 @@
-SENTRIUS_VERSION=1.0.15
+SENTRIUS_VERSION=1.0.17
 SENTRIUS_SSH_VERSION=1.0.2
 SENTRIUS_KEYCLOAK_VERSION=1.0.4
 SENTRIUS_AGENT_VERSION=1.0.11

api/src/main/java/io/sentrius/sso/config/SecurityConfig.java

@@ -12,6 +12,7 @@
 import io.sentrius.sso.core.services.UserService;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -38,6 +39,9 @@ public class SecurityConfig {
     private final CustomAuthenticationSuccessHandler successHandler;
     final UserService userService;
 
+    @Value("${https.required:false}") // Default is false
+    private boolean httpsRequired;
+
 
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
@@ -54,6 +58,13 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
             )
             .cors(Customizer.withDefaults());
 
+        if (httpsRequired) {
+            http.requiresChannel(channel -> channel
+                .requestMatchers("/actuator/**").requiresInsecure() // Allow HTTP for Actuator
+                .anyRequest().requiresSecure() // Force HTTPS for all other requests
+            );
+        }
+
 
         return http.build();
     }

api/src/main/resources/application.properties

@@ -75,4 +75,5 @@ spring.security.oauth2.resourceserver.jwt.issuer-uri=http://192.168.1.162:8180/r
 spring.security.oauth2.client.provider.keycloak.issuer-uri=http://192.168.1.162:8180/realms/sentrius
 
 management.endpoints.web.exposure.include=health
-management.endpoint.health.show-details=always
+management.endpoint.health.show-details=always
+https.required=false

sentrius-chart/values.yaml

@@ -65,6 +65,7 @@ sentrius:
       spring.security.oauth2.client.registration.keycloak.scope=openid,profile,email
       spring.security.oauth2.resourceserver.jwt.issuer-uri=http://sentrius-keycloak:30081/realms/sentrius
       spring.security.oauth2.client.provider.keycloak.issuer-uri=http://sentrius-keycloak:30081/realms/sentrius
+      https.required=false
     dynamic: |
       auditorClass=io.sentrius.sso.automation.auditing.AccessTokenAuditor
       twopartyapproval.option.LOCKING_SYSTEMS=true

sentrius-gcp-chart/templates/configmap.yaml

@@ -106,8 +106,9 @@ data:
     spring.security.oauth2.client.registration.keycloak.scope={{ .Values.sentrius.oauth2.scope }}
     spring.security.oauth2.resourceserver.jwt.issuer-uri=https://keycloak.{{ .Values.subdomain }}/realms/sentrius
     spring.security.oauth2.client.provider.keycloak.issuer-uri=https://keycloak.{{ .Values.tenant }}.sentrius.cloud/realms/sentrius
-    server.forward-headers-strategy=native
+    server.forward-headers-strategy=framework
     https.redirect.enabled=true
+    https.required=true
   dynamic.properties: |
     auditorClass=io.sentrius.sso.automation.auditing.AccessTokenAuditor
     twopartyapproval.option.LOCKING_SYSTEMS=true