6 Replies Latest reply on Sep 20, 2011 2:21 PM by kdorfer

    SSL - 403 Forbidden

    kdorfer Newbie

      Hi,

       

      I've been in the process of migrating our JBoss application servers to AS7.  Things seem to be progressing pretty well, although I'm having a slight issue with my SSL connections.  Here's a description of my issue...  I have a JAR file deployed to a context.  If I access the deployement without using HTTP the proper website is displayed.  When I try to access the same site using HTTPS I get to the server and see the certificate but the content isn't displayed.  Instead, I get a blank page with a '403 Forbidden' message.

       

      I'm hoping there is something simple that I am overlooking in the settings.  As an FYI, I'm running my AS7 in standalone mode.

       

      Thanks,

      Kurt

        • 1. Re: SSL - 403 Forbidden
          friendly_green_giant Newbie

          Ironic - I'm also setting up a new JBoss AS7...I'm not migrating though.

           

          But my post is regarding myself having the same issue.  Has anyone else had this issue?  Not sure if mine is the same as kdorf, but I'll try whatever he finds or the community suggests

          • 2. Re: SSL - 403 Forbidden
            kdorfer Newbie

            I'm actually still working through this.  I have a feeling there might be some sort of security setting that I'm missing.  Like I said, I'm getting to the address and I can see the cert, but the JBoss isn't serving me up the web application.  I'm not even seeing any activity in the access log (when using HTTPS).

            • 3. Re: SSL - 403 Forbidden
              jaikiran pai Master

              Which specific version of JBoss AS7? What do you security configurations in the web application look like?

              • 4. Re: SSL - 403 Forbidden
                kdorfer Newbie

                I'm using 7.0.1Final.  I actually don't need any security configurations in the web application.  There is no protected content were someone needs to login.  These pages are checkout pages in a shopping cart application.  We only need them to be accessible over an HTTPS connections.  Any help you can provide will be greatly appreciated.

                • 5. Re: SSL - 403 Forbidden
                  jaikiran pai Master

                  kdorfer wrote:

                   

                  I'm using 7.0.1Final.  I actually don't need any security configurations in the web application.  There is no protected content were someone needs to login.  These pages are checkout pages in a shopping cart application.  We only need them to be accessible over an HTTPS connections.  Any help you can provide will be greatly appreciated.

                  You still need to configure that in your web.xml. You'll have to tell the server that certain pages/resources in your application need HTTPS transport. You can do this by using the user-data-constraint element in the web.xml. Something like:

                   

                  <security-constraint>
                      <web-resource-collection>
                          <web-resource-name>wholesale</web-resource-name>
                          <url-pattern>/checkout/*</url-pattern>
                          <http-method>GET</http-method>
                          <http-method>POST</http-method>
                      </web-resource-collection>
                      <user-data-constraint>
                          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                      </user-data-constraint>
                  </security-constraint>
                  

                   

                  See "Specifying a Secure Connection" section here http://download.oracle.com/javaee/6/tutorial/doc/gkbaa.html#bncbl. Also take a look at the web-app xsd used by your web.xml.

                  • 6. Re: SSL - 403 Forbidden
                    kdorfer Newbie

                    I made some modifications but am still having the same issue.  Here is what I added (in regards to security) to my applications web.xml file:

                     

                    <security-constraint>

                            <web-resource-collection>

                                <web-resource-name>ALL PAGES</web-resource-name>

                                <url-pattern>/*</url-pattern>

                                <http-method>GET</http-method>

                                <http-method>POST</http-method>

                            </web-resource-collection>

                            <auth-constraint>

                                <role-name>*</role-name>

                            </auth-constraint>

                            <user-data-constraint>

                                <transport-guarantee>CONFIDENTIAL</transport-guarantee>

                            </user-data-constraint>

                        </security-constraint>

                        <login-config>

                            <auth-method>NONE</auth-method>

                        </login-config>

                     

                    Ultimately, I want to let anyone access the HTTPS pages without having to do any sort of authentication.  With the above changes in place, if I attempt to access the web site with HTTP it does a 302 redirect to HTTPS.  When this happens however I still get the 403 error message.  As an FYI, the 403 isn't displayed in the actual web page - I only see it in the response header:

                     

                    HTTP/1.1 403 Forbidden

                    Server: Apache-Coyote/1.1

                    Content-Length: 0

                    Date: Tue, 20 Sep 2011 18:10:53 GMT

                     

                    This same application works in older versions of JBoss AS.  I just can't seem to get it to work on AS7.

                     

                    Thanks,

                    Kurt