5 Replies Latest reply on Oct 13, 2008 2:04 PM by chriscorbell

Simple SSL question

chriscorbell Oct 8, 2008 5:21 PM

I have what may be a naive question about configuring SSL for JBoss/Tomcat...

Is it possible to have both SSL and unencrypted access available, and have some resources/endpoints available only via SSL?

One use case for this is an administrator's web interface for a webservice. The webservice methods themselves don't require SSL, but the admin interface should.

Another use case would be a particular webservice method that we want encrypted (e.g. because it's for remote web clients to authenticate and we don't want the password sent over unencrypted). In this case we might have a login() method that we want to require come via SSL, but once it succeeds a temporary session token's returned that the RIA client can use for requests over unencrypted HTTP.

Is this possible or is SSL an on-or-off, all-or-nothing option?

1. Re: Simple SSL question

erasmomarciano Oct 9, 2008 9:20 AM (in response to chriscorbell)

Can you be more precise the about the enviroment?

Have u tried to set the security-constraint in web.xml to restrict user from directly access to JSP files and force user to use SSL connection.
Actions
2. Re: Simple SSL question

peterj Oct 9, 2008 5:59 PM (in response to chriscorbell)

Tomcat is used to serve static content as well as servets and JSPs.

To configure SSL for JBossAS, see http://www.jboss.org/file-access/default/members/jbossas/freezone/docs/Server_Configuration_Guide/beta422/html/Security_on_JBoss-Using_SSL_with_JBoss_using_JSSE.html

Or you can front-end JBossAS with Apache HTTP Server, see http://www.jboss.org/file-access/default/members/jbossas/freezone/docs/Server_Configuration_Guide/beta422/html/ch17s01.html and the sections that follow.

Both topics are also covered in the wiki.
Actions
3. Re: Simple SSL question

peterj Oct 9, 2008 6:03 PM (in response to chriscorbell)

Juts noticed that you are asking about web services, not HTML content. For that, see http://jbossws.jboss.org/mediawiki/index.php?title=Secure_transport
Actions
4. Re: Simple SSL question

peterj Oct 9, 2008 6:05 PM (in response to chriscorbell)

Oh, now I see what happened. There were two similar questions about SSL, and I meant to answer the other one. Sorry, just ignore me.
Actions
5. Re: Simple SSL question

chriscorbell Oct 13, 2008 2:04 PM (in response to chriscorbell)

Thanks for the replies. One follow-up question:

Let's say I have both unencrypted HTTP and SSL access to my webservice enabled, both for its HTML content and for webservice methods. This is just JBoss, no Apache in front.

If I want some (but not all) HTML pages to force SSL, how do I configure that with JBoss, or do I just have to dynamically code my views to dynamically detect this and bail themselves?

Sim. if I want certain service methods (like a login() method) to force SSL, how do I figure that with JBoss, or if the methods themselves have to enforce this, how do they detect that they're being invoked via SSL?

Just a pointer to docs/wiki would be great, I can't seem to find this with the search terms I come up with.

Thanks again,
Chris
Actions

Go to original post