-
1. Re: SSL - 403 Forbidden
friendly_green_giant Sep 16, 2011 12:51 PM (in response to kdorfer)Ironic - I'm also setting up a new JBoss AS7...I'm not migrating though.
But my post is regarding myself having the same issue. Has anyone else had this issue? Not sure if mine is the same as kdorf, but I'll try whatever he finds or the community suggests
-
2. Re: SSL - 403 Forbidden
kdorfer Sep 16, 2011 4:14 PM (in response to friendly_green_giant)I'm actually still working through this. I have a feeling there might be some sort of security setting that I'm missing. Like I said, I'm getting to the address and I can see the cert, but the JBoss isn't serving me up the web application. I'm not even seeing any activity in the access log (when using HTTPS).
-
3. Re: SSL - 403 Forbidden
jaikiran Sep 19, 2011 3:51 AM (in response to kdorfer)Which specific version of JBoss AS7? What do you security configurations in the web application look like?
-
4. Re: SSL - 403 Forbidden
kdorfer Sep 19, 2011 1:52 PM (in response to jaikiran)I'm using 7.0.1Final. I actually don't need any security configurations in the web application. There is no protected content were someone needs to login. These pages are checkout pages in a shopping cart application. We only need them to be accessible over an HTTPS connections. Any help you can provide will be greatly appreciated.
-
5. Re: SSL - 403 Forbidden
jaikiran Sep 20, 2011 12:48 PM (in response to kdorfer)kdorfer wrote:
I'm using 7.0.1Final. I actually don't need any security configurations in the web application. There is no protected content were someone needs to login. These pages are checkout pages in a shopping cart application. We only need them to be accessible over an HTTPS connections. Any help you can provide will be greatly appreciated.
You still need to configure that in your web.xml. You'll have to tell the server that certain pages/resources in your application need HTTPS transport. You can do this by using the user-data-constraint element in the web.xml. Something like:
<security-constraint> <web-resource-collection> <web-resource-name>wholesale</web-resource-name> <url-pattern>/checkout/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
See "Specifying a Secure Connection" section here http://download.oracle.com/javaee/6/tutorial/doc/gkbaa.html#bncbl. Also take a look at the web-app xsd used by your web.xml.
-
6. Re: SSL - 403 Forbidden
kdorfer Sep 20, 2011 2:21 PM (in response to jaikiran)I made some modifications but am still having the same issue. Here is what I added (in regards to security) to my applications web.xml file:
<security-constraint>
<web-resource-collection>
<web-resource-name>ALL PAGES</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>NONE</auth-method>
</login-config>
Ultimately, I want to let anyone access the HTTPS pages without having to do any sort of authentication. With the above changes in place, if I attempt to access the web site with HTTP it does a 302 redirect to HTTPS. When this happens however I still get the 403 error message. As an FYI, the 403 isn't displayed in the actual web page - I only see it in the response header:
HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Length: 0
Date: Tue, 20 Sep 2011 18:10:53 GMT
This same application works in older versions of JBoss AS. I just can't seem to get it to work on AS7.
Thanks,
Kurt