0 Replies Latest reply on Apr 1, 2005 6:47 PM by Gardner Lloyd Bickford III

    Force https for login.jsp

    Gardner Lloyd Bickford III Newbie

      Hello,
      I would like to force https requests to certain jsp pages. I have been reading about this for some time now and I have been trying to add a user-data-constraint to my applications web.xml.
      I have checked the tomcat manual and read lots of postings on enabling https but I am a bit confused about how to set a user-data-constraint in JBoss 3.2.7. There are 10 different web.xml files in my deploy directory. I decided that the onyl web.xml that I should modify is the one that in the META-INF dir that gets deployed in my applications .war file.

      The constraint does not work and it is still possible to access the url via http. My current web.xml looks like:

      <?xml version="1.0" encoding="UTF-8"?>

      <!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN' 'http://java.sun.com/dtd/web-app_2_3.dtd'>

      <web-app>
      <display-name>XoopMain</display-name>
      Xoop Main App
      <error-page>
      <error-code>500</error-code>
      /error.jsp
      </error-page>
      <error-page>
      <exception-type>java.lang.Exception</exception-type>
      /error.jsp
      </error-page>
      <error-page>
      <error-code>404</error-code>
      /notfound.jsp
      </error-page>
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Entire Application</web-resource-name>
      <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      </web-app>

      Is this the correct way to force the use of https? Any suggestions are welcomed. :)

      Thanks,
      Gardner