2 Replies Latest reply on Jun 20, 2005 6:27 PM by darickard

    requiring SSL for non-servlet/non-EJB JSE

    darickard
    darickard Jun 20, 2005 5:20 PM

      JBoss 4.0.2
      Tomcat 5.5
      Java 1.5.0 Update3

      I've got SSL working on my server, and I can access my web service via http or https. I only want my service to be accessable via https.

      How can I require an https connection to a java service endpoint? It seems it cannot be done within the endpoint class since I don't have access to the HttpServletRequest, and I cannot add a <transport-guarantee> element in a jboss.xml file like I could if it was an EJB.

      Is there some entry in the myriad of configuration files needed for a web service that will require an HTTPS connection for a JSE?

      Many thanks in advance,
      DR

      • 5188 Views
      • Tags:
        • 1. Re: requiring SSL for non-servlet/non-EJB JSE
          thomas.diesler
          thomas.diesler Jun 20, 2005 6:24 PM (in response to darickard)

          From web-app_2_4.xsd

           <xsd:complexType name="transport-guaranteeType">
 <xsd:annotation>
 <xsd:documentation>

 The transport-guaranteeType specifies that the communication
 between client and server should be NONE, INTEGRAL, or
 CONFIDENTIAL. NONE means that the application does not
 require any transport guarantees. A value of INTEGRAL means
 that the application requires that the data sent between the
 client and server be sent in such a way that it can't be
 changed in transit. CONFIDENTIAL means that the application
 requires that the data be transmitted in a fashion that
 prevents other entities from observing the contents of the
 transmission. In most cases, the presence of the INTEGRAL or
 CONFIDENTIAL flag will indicate that the use of SSL is
 required.

 Used in: user-data-constraint

 </xsd:documentation>
 </xsd:annotation>

 <xsd:simpleContent>
 <xsd:restriction base="j2ee:string">
 <xsd:enumeration value="NONE"/>
 <xsd:enumeration value="INTEGRAL"/>
 <xsd:enumeration value="CONFIDENTIAL"/>
 </xsd:restriction>
 </xsd:simpleContent>
 </xsd:complexType>


            • Actions
          • 2. Re: requiring SSL for non-servlet/non-EJB JSE
            darickard
            darickard Jun 20, 2005 6:27 PM (in response to darickard)

            Thanks, Thomas. I overlooked the web-app/security-constraint/user-data-constraint/transport-guarantee element that can be used in web.xml. For anyone interested, you can add something like the following in your web.xml so that SSL/TLS is required. The key is the CONFIDENTIAL transport-guarantee:

             <!-- Require SSL for this web service. -->
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>someName</web-resource-name>
 <url-pattern>/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <user-data-constraint>
 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
 </user-data-constraint>
 </security-constraint>


            Argh - it seems all the information is out there, it's just hard to find it all and bring it together to fit your implementation! Slowly, I'm learning where to look for what.

            Thanks again for your help!

              • Actions