I have a web application hosted in JBoss AS 7.1.1. I want to redirect every HTTP access to HTTPS.
I've read the documentation and did the following:
1. Generated SSL certificate (file named chap8.keystroke)
2. Added connectors in standalone.xml (Note: I have 8888 for HTTP and 8443 for HTTPS in my socket binding)
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="8443"/> <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true"> <ssl name="ssl" key-alias="chapter8" password="rmi+ssl" certificate-key-file="../standalone/configuration/chap8.keystore" protocol="TLSv1" verify-client="false"/> </connector>
3. Added security constraint in web.xml
<security-constraint> <web-resource-collection> <web-resource-name>SECURE</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
In spite of all the configuration, when I access my application through HTTP port (http://localhost:8888/App.html) it is not redirected to HTTPS. On the other hand, if I access through HTTPS it works. So SSL is enabled, the only problem is the redirect from HTTP to HTTPS.
These are the things I've tried:
- https://docs.jboss.org/author/display/AS71/SSL+setup+guide (tried with Pure Java SSL-Setup using keytool & Native SSL-Setup using OpenSSL, both without good results. Only could enable https but not redirect http)
- https://www.openshift.com/kb/kb-e1044-how-to-redirect-traffic-to-https (For JBoss AS7 and EAP6 section. I think this is only for OpenShift, but also tried)
- https://community.jboss.org/thread/172052?start=15&tstart=0 (standalone.xml configuration & security-constraint in web.xml)
- Disabling HTTP port only leaves HTTPS available, does not redirect by default.
- http://sudipta05.wordpress.com/web/jboss-httpsssl-configuration/ (again, using keytool for generating SSL certificate. Applied connector configuration in standalone.xml and security-constraint in web.xml inside the application)
- Tried disabling Apache Shiro, in case HTTP requests filtering has conflicts with the redirect action of JBoss (the same result)
- Added custom role in web.xml and added that to security-constraint (without security-constraint HTTP redirect is not possible)
- Changing default ports in standalone.xml
Am I missing something in the configuration? Any ideas?