Elastic Path Core Commerce uses the Spring Security framework for user authentication and authorization. The security.xml file, which is located in ep-storefront\src\main\resources\spring\security, contains the security settings you need to configure.
Configuring the HTTPS port redirect
You can configure the application server to switch to the HTTPS port for pages that require it based on the request port number. In the security.xml, the <port-mapping> element's attributes http and https define the http and https ports. The following example shows how to redirect requests on port 8080 to port 8443:
<port-mappings> <port-mapping http="8080 " https="8443" /> </port-mappings>
Not all URLs need to be secure in your applications. Elastic Path pre-configured URLs for the web applications, see Spring Security Filters for this list. To configure SSL for specific URLs, locate the URL's <intercept-url> element in the security.xml and define https or http for the requires-channel attribute. For example, for Elastic Path Commerce, if you wanted to enable SSL for /checkout.ep* URLS, the <intercept-url> element would look like this:
<intercept-url pattern="/commerce-legacy/checkout.ep*" access="ROLE_CUSTOMER,ROLE_ANONYMOUS_CUSTOMER" requires-channel="https" />