<xsd:complexType name="transport-guaranteeType"> <xsd:annotation> <xsd:documentation> The transport-guaranteeType specifies that the communication between client and server should be NONE, INTEGRAL, or CONFIDENTIAL. NONE means that the application does not require any transport guarantees. A value of INTEGRAL means that the application requires that the data sent between the client and server be sent in such a way that it can't be changed in transit. CONFIDENTIAL means that the application requires that the data be transmitted in a fashion that prevents other entities from observing the contents of the transmission. In most cases, the presence of the INTEGRAL or CONFIDENTIAL flag will indicate that the use of SSL is required. Used in: user-data-constraint </xsd:documentation> </xsd:annotation> <xsd:simpleContent> <xsd:restriction base="j2ee:string"> <xsd:enumeration value="NONE"/> <xsd:enumeration value="INTEGRAL"/> <xsd:enumeration value="CONFIDENTIAL"/> </xsd:restriction> </xsd:simpleContent> </xsd:complexType>
Thanks, Thomas. I overlooked the web-app/security-constraint/user-data-constraint/transport-guarantee element that can be used in web.xml. For anyone interested, you can add something like the following in your web.xml so that SSL/TLS is required. The key is the CONFIDENTIAL transport-guarantee:
<!-- Require SSL for this web service. --> <security-constraint> <web-resource-collection> <web-resource-name>someName</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
Argh - it seems all the information is out there, it's just hard to find it all and bring it together to fit your implementation! Slowly, I'm learning where to look for what.
Thanks again for your help!