gh-83 do not force http when SSL is not enabled

samples/tutorials/resource-server_with_jwtauthenticationtoken/README.md

@@ -132,8 +132,6 @@ public class SecurityConfig {
  // If SSL enabled, disable http (https only)
  if (serverProperties.getSsl() != null && serverProperties.getSsl().isEnabled()) {
  http.requiresChannel().anyRequest().requiresSecure();
- } else {
- http.requiresChannel().anyRequest().requiresInsecure();
  }
 
  // Route security: authenticated to all routes but actuator and Swagger-UI

samples/tutorials/resource-server_with_jwtauthenticationtoken/src/main/java/com/c4soft/springaddons/tutorials/SecurityConfig.java

@@ -102,8 +102,6 @@ SecurityFilterChain filterChain(HttpSecurity http,
  // If SSL enabled, disable http (https only)
  if (serverProperties.getSsl() != null && serverProperties.getSsl().isEnabled()) {
  http.requiresChannel().anyRequest().requiresSecure();
- } else {
- http.requiresChannel().anyRequest().requiresInsecure();
  }
 
  // Route security: authenticated to all routes but actuator and Swagger-UI

samples/tutorials/resource-server_with_ui/README.md

@@ -150,8 +150,6 @@ public class WebSecurityConfig {
  // If SSL enabled, disable http (https only)
  if (isSsl) {
  http.requiresChannel().anyRequest().requiresSecure();
- } else {
- http.requiresChannel().anyRequest().requiresInsecure();
  }
 
  // compared to API filter-chain:

samples/tutorials/resource-server_with_ui/src/main/java/com/c4soft/springaddons/tutorials/WebSecurityConfig.java

@@ -23,9 +23,8 @@ public class WebSecurityConfig {
 
  /**
  * <p>
- * A default SecurityFilterChain is already defined by
- * spring-addons-webmvc-jwt-resource-server to secure all API endpoints
- * (actuator and REST controllers)
+ * A default SecurityFilterChain is already defined by spring-addons-webmvc-jwt-resource-server to secure all API endpoints (actuator and
+ * REST controllers)
  * </p>
  * We define here another SecurityFilterChain for server-side rendered pages:
  * <ul>
@@ -34,22 +33,21 @@ public class WebSecurityConfig {
  * <li>Thymeleaf pages served by UiController</li>
  * </ul>
  * <p>
- * It important to note that in this scenario, the end-user browser is not an
- * OAuth2 client. Only the part of the server-side part of the Spring
- * application secured with this filter chain is. Requests between the browser
- * and Spring OAuth2 client are secured with <b>sessions</b>. As so, <b>CSRF
- * protection must be active</b>.
+ * It important to note that in this scenario, the end-user browser is not an OAuth2 client. Only the part of the server-side part of the
+ * Spring application secured with this filter chain is. Requests between the browser and Spring OAuth2 client are secured with
+ * <b>sessions</b>. As so, <b>CSRF protection must be active</b>.
  * </p>
  *
- * @param http
- * @param serverProperties
- * @return an additional security filter-chain for UI elements (with OAuth2
- * login)
+ * @param http
+ * @param serverProperties
+ * @return an additional security filter-chain for UI elements (with OAuth2 login)
  * @throws Exception
  */
  @Order(Ordered.HIGHEST_PRECEDENCE)
  @Bean
- SecurityFilterChain uiFilterChain(HttpSecurity http, ServerProperties serverProperties,
+ SecurityFilterChain uiFilterChain(
+ HttpSecurity http,
+ ServerProperties serverProperties,
  Converter<Map<String, Object>, Collection<? extends GrantedAuthority>> authoritiesConverter)
  throws Exception {
  boolean isSsl = serverProperties.getSsl() != null && serverProperties.getSsl().isEnabled();
@@ -64,7 +62,7 @@ SecurityFilterChain uiFilterChain(HttpSecurity http, ServerProperties serverProp
  // and OAuth2 client callback endpoints
  new AntPathRequestMatcher("/login/**"),
  new AntPathRequestMatcher("/oauth2/**")));
- 
+
  http.oauth2Login()
  // I don't know quite why we are redirected to authorization-server port by default as initial login page is generated on client :/
  .loginPage("%s://localhost:%d/oauth2/authorization/spring-addons-public".formatted(isSsl ? "https" : "http", serverProperties.getPort()) )
@@ -78,7 +76,7 @@ SecurityFilterChain uiFilterChain(HttpSecurity http, ServerProperties serverProp
  .map(OidcUserAuthority.class::cast)
  .flatMap(oua -> authoritiesConverter.convert(oua.getIdToken().getClaims()).stream()).toList()
  );
- 
+
  http.authorizeHttpRequests()
  .requestMatchers("/login/**").permitAll()
  .requestMatchers("/oauth2/**").permitAll()
@@ -88,8 +86,6 @@ SecurityFilterChain uiFilterChain(HttpSecurity http, ServerProperties serverProp
  // If SSL enabled, disable http (https only)
  if (isSsl) {
  http.requiresChannel().anyRequest().requiresSecure();
- } else {
- http.requiresChannel().anyRequest().requiresInsecure();
  }
 
  // compared to API filter-chain:

webmvc/spring-addons-webmvc-introspecting-resource-server/src/main/java/com/c4_soft/springaddons/security/oauth2/config/synchronised/AddonsWebSecurityBeans.java

@@ -189,8 +189,6 @@ SecurityFilterChain filterChain(
 
  if (serverProperties.getSsl() != null && serverProperties.getSsl().isEnabled()) {
  http.requiresChannel().anyRequest().requiresSecure();
- } else {
- http.requiresChannel().anyRequest().requiresInsecure();
  }
 
  expressionInterceptUrlRegistryPostProcessor.authorizeHttpRequests(

webmvc/spring-addons-webmvc-jwt-resource-server/src/main/java/com/c4_soft/springaddons/security/oauth2/config/synchronised/AddonsWebSecurityBeans.java

@@ -182,8 +182,6 @@ SecurityFilterChain filterChain(
 
  if (serverProperties.getSsl() != null && serverProperties.getSsl().isEnabled()) {
  http.requiresChannel().anyRequest().requiresSecure();
- } else {
- http.requiresChannel().anyRequest().requiresInsecure();
  }
 
  expressionInterceptUrlRegistryPostProcessor.authorizeHttpRequests(

webmvc/spring-addons-webmvc-test/src/main/java/com/c4_soft/springaddons/security/oauth2/test/mockmvc/AddonsWebmvcTestConf.java

@@ -132,8 +132,6 @@ SecurityFilterChain filterChain(HttpSecurity http, ServerProperties serverProper
 
  if (serverProperties.getSsl() != null && serverProperties.getSsl().isEnabled()) {
  http.requiresChannel().anyRequest().requiresSecure();
- } else {
- http.requiresChannel().anyRequest().requiresInsecure();
  }
 
  return http.build();