4 Replies Latest reply on Aug 20, 2013 4:13 AM by stsc

    Redirect http to https is ignored

    stsc
    stsc Aug 19, 2013 9:20 AM

      Hi

       

      I'm trying to set up http to https redirect to ensure use of SSL for my REST services.

       

      I have tried the guide (https://docs.jboss.org/author/display/AS71/SSL+setup+guide)

       

      The configureation looks like this:

       

              <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">

                  <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="8443"/>

                  <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">

                      <ssl name="ssl" key-alias="apiCERT" password="mypassword" certificate-key-file="${jboss.server.config.dir}/jboss.keystore" protocol="TLSv1"/>

                  </connector>

                  <virtual-server name="default-host" enable-welcome-root="true">

                      <alias name="localhost"/>

                      <alias name="example.com"/>

                  </virtual-server>

              </subsystem>

       

      If I acccess the REST services directly over https, it works as expected, i.e.:

       

      https://localhost:8443/api/rest/readings/1/5246

       

      However, if I use the try to use the normal http-url, it passes straight through at hit the REST endpoint without SSL:

       

      http://localhost:8080/api/rest/readings/1/5246

       

      I wonderif theher is some obvious point I'm missing.

       

      The platform is JBoss 7.1.1.Final, Java 7 u25 on Windows 8

       

      ... and this is NOT what I expect

        • 1. Re: Redirect http to https is ignored
          ctomc
          ctomc Aug 19, 2013 9:26 AM (in response to stsc)

          Hi,

           

          All works as it should accoring to your configuration

           

          If you want you application only be accessable via SSL and redireceted to it if not, you should add

           

          <security-constraint>
              <web-resource-collection>
                       <web-resource-name>SECURE</web-resource-name>
                       <url-pattern>/*</url-pattern>
              </web-resource-collection>
              <user-data-constraint>
                       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
              </user-data-constraint>
          </security-constraint>

          to you web.xml

           

          --

          tomaz

            • Actions
          • 2. Re: Redirect http to https is ignored
            stsc
            stsc Aug 19, 2013 9:41 AM (in response to ctomc)

            Well, then I have to introduce a web.xml. So far i have managed without - like the "getting started" tutorials that comes with AS7. According to these, the web.xml is not required for Java EE 6 applications.

              • Actions
            • 3. Re: Redirect http to https is ignored
              ctomc
              ctomc Aug 19, 2013 10:20 AM (in response to stsc)

              Then just add security constraint annotations.

               

              web.xml is optional but for some fine tuning it is still useful

               

              You could probably add something like this to your bean

              @ServletSecurity(value=@HttpConstraint(transportGuarantee=ServletSecurity.TransportGuarantee.CONFIDENTIAL))

              but it is easier to configure it app wide in web.xml

               

              take a look at https://blogs.oracle.com/swchan/entry/follow_up_on_servlet_3 for more information about this.

               

              also you can remove/disable http connector that serves non ssl requests, that way you will make sure no non-ssl requests are ever processed

                • Actions
              • 4. Re: Redirect http to https is ignored
                stsc
                stsc Aug 20, 2013 4:13 AM (in response to ctomc)

                Thank you for your help! It was much needed

                 

                I could get the annotation to work, but I managed to get a web.xml constructed. A couple of notes:

                • I can't figure out what the parameter "redirect" is use to in the connector configuration of the subsystem if not redirecting
                • I understand the argument about "fine tuning" the application in the web.xml. What I don't understand is why the application can't be configured in the container alone. The web.xml is "just" a descriptor file, but it is still wrapped in the deployable
                  • Actions