Hello. We have implemented SSL on IBM Http-server and Websphere applicaton server. When we use "HTTPS:\\xxxxx" everything looks fine and we can se that the certificate is used, the lock-icon on the browser and so on. The problem is that we can still link to the application with "HTTP:\\xxxx" (unsecured). How can we prevent this access ? actions on the web-server ? actions on the application server ? actions on the deployment description ?) [ September 30, 2003: Message edited by: Eskil Lind ]
Try looking at the transport-guarantee option on security-constraint in your web.xml...
Joined: Apr 05, 2003
Seems like I can solve this by editing the "Virtual host"-setting in WebSphere Application Server. I tried to set the only valid Virtual host to be "*:443". 443 is the SSL-port. ==> This worked fine. All "HTTP:\\xxx" was rejected. Another challenge is that my application will call some static HTML-sites on the internet (new pop-up windows) with an ordinary "HTTP:\\xxxx"-kommand. ==> this was still possible I have now accomplished to only allow HTTPS (SSL) to enter my application, and still my application can reach the outside world with "HTTP".