Remember how we earlier mentioned the extra security headers that Spring Security provides? Let's pause for a moment and check them out from the command line using curl
:
$ curl -i localhost:8080/teammates HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Location: https://localhost:8443/teammates Content-Length: 0 Date: Wed, 27 Aug 2014 01:17:02 GMT
From this, we can see a 302 redirect to the secured SSL address, https://localhost:8443/teammates
. Let's follow that and try again:
$ curl -i -k https://localhost:8443/teammates HTTP/1.1 302 Found Server: Apache-Coyote/1.1 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Frame-Options: DENY Set-Cookie: JSESSIONID=2DF972B5847F02C6A90778FE12A8619D; Path=/; Secure; HttpOnly Location: https://localhost:8443/login Content-Length: 0 Date...