Can you be more precise the about the enviroment?
Have u tried to set the security-constraint in web.xml to restrict user from directly access to JSP files and force user to use SSL connection.
Tomcat is used to serve static content as well as servets and JSPs.
To configure SSL for JBossAS, see http://www.jboss.org/file-access/default/members/jbossas/freezone/docs/Server_Configuration_Guide/beta422/html/Security_on_JBoss-Using_SSL_with_JBoss_using_JSSE.html
Or you can front-end JBossAS with Apache HTTP Server, see http://www.jboss.org/file-access/default/members/jbossas/freezone/docs/Server_Configuration_Guide/beta422/html/ch17s01.html and the sections that follow.
Both topics are also covered in the wiki.
Oh, now I see what happened. There were two similar questions about SSL, and I meant to answer the other one. Sorry, just ignore me.
Thanks for the replies. One follow-up question:
Let's say I have both unencrypted HTTP and SSL access to my webservice enabled, both for its HTML content and for webservice methods. This is just JBoss, no Apache in front.
If I want some (but not all) HTML pages to force SSL, how do I configure that with JBoss, or do I just have to dynamically code my views to dynamically detect this and bail themselves?
Sim. if I want certain service methods (like a login() method) to force SSL, how do I figure that with JBoss, or if the methods themselves have to enforce this, how do they detect that they're being invoked via SSL?
Just a pointer to docs/wiki would be great, I can't seem to find this with the search terms I come up with.