4 Replies Latest reply on Aug 20, 2013 4:13 AM by Steffen Schmidt

    Redirect http to https is ignored

    Steffen Schmidt Newbie

      Hi

       

      I'm trying to set up http to https redirect to ensure use of SSL for my REST services.

       

      I have tried the guide (https://docs.jboss.org/author/display/AS71/SSL+setup+guide)

       

      The configureation looks like this:

       

              <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">

                  <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="8443"/>

                  <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">

                      <ssl name="ssl" key-alias="apiCERT" password="mypassword" certificate-key-file="${jboss.server.config.dir}/jboss.keystore" protocol="TLSv1"/>

                  </connector>

                  <virtual-server name="default-host" enable-welcome-root="true">

                      <alias name="localhost"/>

                      <alias name="example.com"/>

                  </virtual-server>

              </subsystem>

       

      If I acccess the REST services directly over https, it works as expected, i.e.:

       

      https://localhost:8443/api/rest/readings/1/5246

       

      However, if I use the try to use the normal http-url, it passes straight through at hit the REST endpoint without SSL:

       

      http://localhost:8080/api/rest/readings/1/5246

       

      I wonderif theher is some obvious point I'm missing.

       

      The platform is JBoss 7.1.1.Final, Java 7 u25 on Windows 8

       

      ... and this is NOT what I expect

        • 1. Re: Redirect http to https is ignored
          Tomaz Cerar Master

          Hi,

           

          All works as it should accoring to your configuration

           

          If you want you application only be accessable via SSL and redireceted to it if not, you should add

           

          <security-constraint>
              <web-resource-collection>
                       <web-resource-name>SECURE</web-resource-name>
                       <url-pattern>/*</url-pattern>
              </web-resource-collection>
              <user-data-constraint>
                       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
              </user-data-constraint>
          </security-constraint>

          to you web.xml

           

          --

          tomaz

          • 2. Re: Redirect http to https is ignored
            Steffen Schmidt Newbie

            Well, then I have to introduce a web.xml. So far i have managed without - like the "getting started" tutorials that comes with AS7. According to these, the web.xml is not required for Java EE 6 applications.

            • 3. Re: Redirect http to https is ignored
              Tomaz Cerar Master

              Then just add security constraint annotations.

               

              web.xml is optional but for some fine tuning it is still useful

               

              You could probably add something like this to your bean

              @ServletSecurity(value=@HttpConstraint(transportGuarantee=ServletSecurity.TransportGuarantee.CONFIDENTIAL))

              but it is easier to configure it app wide in web.xml

               

              take a look at https://blogs.oracle.com/swchan/entry/follow_up_on_servlet_3 for more information about this.

               

              also you can remove/disable http connector that serves non ssl requests, that way you will make sure no non-ssl requests are ever processed

              • 4. Re: Redirect http to https is ignored
                Steffen Schmidt Newbie

                Thank you for your help! It was much needed

                 

                I could get the annotation to work, but I managed to get a web.xml constructed. A couple of notes:

                • I can't figure out what the parameter "redirect" is use to in the connector configuration of the subsystem if not redirecting
                • I understand the argument about "fine tuning" the application in the web.xml. What I don't understand is why the application can't be configured in the container alone. The web.xml is "just" a descriptor file, but it is still wrapped in the deployable