-
1. Re: Redirect http to https is ignored
ctomc Aug 19, 2013 9:26 AM (in response to stsc)Hi,
All works as it should accoring to your configuration
If you want you application only be accessable via SSL and redireceted to it if not, you should add
<security-constraint>
<web-resource-collection>
<web-resource-name>SECURE</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>to you web.xml
--
tomaz
-
2. Re: Redirect http to https is ignored
stsc Aug 19, 2013 9:41 AM (in response to ctomc)Well, then I have to introduce a web.xml. So far i have managed without - like the "getting started" tutorials that comes with AS7. According to these, the web.xml is not required for Java EE 6 applications.
-
3. Re: Redirect http to https is ignored
ctomc Aug 19, 2013 10:20 AM (in response to stsc)Then just add security constraint annotations.
web.xml is optional but for some fine tuning it is still useful
You could probably add something like this to your bean
@ServletSecurity(value=@HttpConstraint(transportGuarantee=ServletSecurity.TransportGuarantee.CONFIDENTIAL))
but it is easier to configure it app wide in web.xml
take a look at https://blogs.oracle.com/swchan/entry/follow_up_on_servlet_3 for more information about this.
also you can remove/disable http connector that serves non ssl requests, that way you will make sure no non-ssl requests are ever processed
-
4. Re: Redirect http to https is ignored
stsc Aug 20, 2013 4:13 AM (in response to ctomc)Thank you for your help! It was much needed
I could get the annotation to work, but I managed to get a web.xml constructed. A couple of notes:
- I can't figure out what the parameter "redirect" is use to in the connector configuration of the subsystem if not redirecting
- I understand the argument about "fine tuning" the application in the web.xml. What I don't understand is why the application can't be configured in the container alone. The web.xml is "just" a descriptor file, but it is still wrapped in the deployable