In addition to authentication and authorization, Spring Security can also be used to check for any additional property presence for each request reaching the server. It can check for protocol (transport type, HTTP, or HTTPS), presence of certain HTTP headers, and more. SSL is now the de facto standard for any web application (or website) to comply with, and many search engines (such as Google, for example) even penalize you if your website is not HTTPS. SSL is made use of in securing the channel on which data flows from client to server and vice versa.

Spring Security can be configured to explicitly check for URL patterns and explicitly redirect the user to HTTPS if they are coming with the HTTP protocol.

This can be easily done by configuring the appropriate URL pattern in your Spring Security configuration, as shown here:

http.authorizeRequests()
      .requiresChannel().antMatchers("/httpsRequired/**").requiresSecure();

When users access the /httpsRequired/** URL pattern and if the protocol is HTTP, Spring Security will redirect the user to the same URL with the HTTPS protocol. The following configuration is used to secure all requests:

http.authorizeRequests()
      .requiresChannel().anyRequest().requiresSecure();

To explicitly mention certain URLs as insecure, use the following code:

.requiresChannel().antMatchers("/httpRequired/**").requiresInsecure();

The following code snippet shows how to specify any request to be HTTP (insecure):

.requiresChannel().anyRequest().requiresInsecure();