3 Replies Latest reply on Jul 21, 2009 12:33 PM by steffi.stephanie.stroka.salzburgresearch.at

    Defining an AbstractResource subclass as HTTPS secured

    steffi.stephanie.stroka.salzburgresearch.at

      Hello everyone,


      I'm trying to use a subclass of org.jboss.seam.web.AbstractResource on an HTTPS/SSL secured transport layer. Does anyone know how I can define that?


      thanks and best regards,
      Stephanie

        • 1. Re: Defining an AbstractResource subclass as HTTPS secured
          christian.bauer

          HTTP vs. HTTPS is several layers above AbstractResource. You'd first have to set up your frontend webserver (Apache, Tomcat) to use SSL, then do whole lot more configuration outside of Seam to get it working, then consider things like redirects for HTTP to HTTPs on certain URIs, etc. The AbstractResource is the same, no matter what transport is being used. Just like a servlet is the same for both.


          • 2. Re: Defining an AbstractResource subclass as HTTPS secured
            steffi.stephanie.stroka.salzburgresearch.at

            Thanks for your reply, Christian.


            Could you be a little bit more precise on




            ...whole lot more configuration outside of Seam...

            and



            ...consider things like redirects for HTTP to HTTPs on certain URIs...

            I think I've configured JBoss (server.xml) to use SSL, but behind that I'm lost. I thought that I'll just need to define something like


            <security-constraint>
              <user-data-constraint>
                <transport-guarantee>CONFIDENTIAL</transport-guarantee>
              </user-data-constraint>
            </security-constraint>




            in web.xml. Is that correct? Where exactly do I have to put that? I need this resource on a secure layer, because I'd like to read X509 certificates, but besides that the application should run on HTTP without SSL.


            Thanks again,
            Stephanie

            • 3. Re: Defining an AbstractResource subclass as HTTPS secured
              steffi.stephanie.stroka.salzburgresearch.at

              Ok, I figured it out...
              For those who have the same problem:
              I added



              <web-app...> 
              ...
              <security-constraint>
                  <web-resource-collection>
                      <web-resource-name>idp</web-resource-name>
                      <url-pattern>/seam/resource/idp</url-pattern>
                  </web-resource-collection>
                  <user-data-constraint>
                      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                  </user-data-constraint>
              </security-constraint>
              
              ...
              </web-app>




              to web.xml and now it rediretc to a HTTPS secured URL.