The moose likes Security and the fly likes Enabled SSL, but how to prevent Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Building Microservices this week in the Design forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Enabled SSL, but how to prevent "HTTP:`\\xxxx"" Watch "Enabled SSL, but how to prevent "HTTP:`\\xxxx"" New topic

Enabled SSL, but how to prevent "HTTP:`\\xxxx"

Eskil Lind

Joined: Apr 05, 2003
Posts: 11
We have implemented SSL on IBM Http-server and Websphere applicaton server.
When we use "HTTPS:\\xxxxx" everything looks fine and we can se that the
certificate is used, the lock-icon on the browser and so on.
The problem is that we can still link to the application with "HTTP:\\xxxx" (unsecured).
How can we prevent this access ?
actions on the web-server ?
actions on the application server ?
actions on the deployment description ?)
[ September 30, 2003: Message edited by: Eskil Lind ]
norman richards
Ranch Hand

Joined: Jul 21, 2003
Posts: 367
Try looking at the transport-guarantee option on security-constraint in your web.xml...
Eskil Lind

Joined: Apr 05, 2003
Posts: 11
Seems like I can solve this by editing the "Virtual host"-setting in WebSphere Application Server. I tried to set the only valid Virtual host to be "*:443". 443 is the SSL-port.
==> This worked fine. All "HTTP:\\xxx" was rejected.
Another challenge is that my application will call some static HTML-sites on the internet (new pop-up windows) with an ordinary "HTTP:\\xxxx"-kommand.
==> this was still possible
I have now accomplished to only allow HTTPS (SSL) to enter my application, and still my application can reach the outside world with "HTTP".
Have you checked out Aspose?
subject: Enabled SSL, but how to prevent "HTTP:`\\xxxx"
It's not a secret anymore!