Announcement: You can find the guides for Commerce 7.5 and later on the new Elastic Path Documentation site. This Developer Center contains the guides for Commerce 6.13.0 through 7.4.1.Visit new site

This version of Elastic Path Commerce is no longer supported or maintained. To upgrade to the latest version, contact your Elastic Path representative.

Security (Storefront)

Security (Storefront)

Elastic Path uses the Spring Security framework for user authentication and authorization. The security.xml file, which is located in ep-storefront\src\main\resources\spring\security, contains the security settings you need to configure.

Configuring the HTTPS port redirect

You can configure the application server to switch to the HTTPS port for pages that require it based on the request port number. In the security.xml, the <port-mapping> element's attributes http and https define the http and https ports. The following example shows how to redirect requests on port 8080 to port 8443:

      <port-mapping http="8080 " https="8443" />

Enabling/Disabling SSL

Not all URLs need to be secure in your applications. Elastic Path pre-configured URLs for the Elastic Path Web Applications, see Spring Security Filters for this list. To configure SSL for specific URLs, locate the URL's <intercept-url> element in the security.xml and define https or http for the requires-channel attribute. For example, for Elastic Path Commerce, if you wanted to enable SSL for /checkout.ep* URLS, the <intercept-url> element would look like this:

<intercept-url pattern="/commerce-legacy/checkout.ep*" access="ROLE_CUSTOMER,ROLE_ANONYMOUS_CUSTOMER" requires-channel="https" />