0 Replies Latest reply on Apr 18, 2014 12:49 PM by Hans-Michael Rupp

    Securing Web Application and SSL

    Hans-Michael Rupp Novice

      Hello,

       

      I am trying to secure a web application and implement https:

      web.xml

      <?xml version="1.0" encoding="UTF-8"?>

      <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"

          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">

          <welcome-file-list>

              <welcome-file>index.html</welcome-file>

              <welcome-file>index.jsf</welcome-file>

          </welcome-file-list>

          <context-param>

              <param-name>facelets.SKIP_COMMENTS</param-name>

              <param-value>true</param-value>

          </context-param>

          <context-param>

              <param-name>javax.faces.INTERPRET_EMPTY_STRING_SUBMITTED_VALUES_AS_NULL</param-name>

              <param-value>true</param-value>

          </context-param>

          <security-constraint>

              <web-resource-collection>

                  <web-resource-name>Organisator</web-resource-name>

                  <url-pattern>/organisator/*</url-pattern>

              </web-resource-collection>

              <auth-constraint>

                  <role-name>Organisator</role-name>

              </auth-constraint>

              <user-data-constraint>

                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>

              </user-data-constraint>

          </security-constraint>

          <security-role>

              <role-name>Organisator</role-name>

          </security-role>

          <login-config>

              <auth-method>BASIC</auth-method>

              <!-- 

              <form-login-config>

                  <form-login-page>/login.jsf</form-login-page>

                  <form-error-page>/loginError.jsf</form-error-page>

              </form-login-config>

              -->

              <realm-name>my-aktion</realm-name>

          </login-config>

      </web-app>

       

      The basic login works. After that I have tried to implement https

      <subsystem xmlns="urn:jboss:domain:web:1.4" default-virtual-server="default-host" native="false">

                  <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="8443"/>

                  <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enabled="true">

                      <ssl key-alias="my-aktion" password="changeit" certificate-key-file="../standalone/configuration/my-akktion.keystore"/>

       

      https://localhost:8443/

      works.

      But when I try to access my web app under the address

      https://localhost:8080/my-aktion

      (the application has worked without https)

      I get redirect to

      https://localhost/my-aktion/organisator/aktionList.jsf

      to which the browser cannot connect.

      also when I try to add the port:

      https://localhost:8443/my-aktion/organisator/aktionList.jsf

      I get again redirect to the wrong address.

       

      I would be very gratefull for any suggestions.

       

      Thanks,

       

      Hans