File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes Enabled SSL, but how to prevent Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Enabled SSL, but how to prevent "HTTP:`\\xxxx"" Watch "Enabled SSL, but how to prevent "HTTP:`\\xxxx"" New topic

Enabled SSL, but how to prevent "HTTP:`\\xxxx"

Eskil Lind

Joined: Apr 05, 2003
Posts: 11
We have implemented SSL on IBM Http-server and Websphere applicaton server.
When we use "HTTPS:\\xxxxx" everything looks fine and we can se that the
certificate is used, the lock-icon on the browser and so on.
The problem is that we can still link to the application with "HTTP:\\xxxx" (unsecured).
How can we prevent this access ?
actions on the web-server ?
actions on the application server ?
actions on the deployment description ?)
[ September 30, 2003: Message edited by: Eskil Lind ]
norman richards
Ranch Hand

Joined: Jul 21, 2003
Posts: 367
Try looking at the transport-guarantee option on security-constraint in your web.xml...
Eskil Lind

Joined: Apr 05, 2003
Posts: 11
Seems like I can solve this by editing the "Virtual host"-setting in WebSphere Application Server. I tried to set the only valid Virtual host to be "*:443". 443 is the SSL-port.
==> This worked fine. All "HTTP:\\xxx" was rejected.
Another challenge is that my application will call some static HTML-sites on the internet (new pop-up windows) with an ordinary "HTTP:\\xxxx"-kommand.
==> this was still possible
I have now accomplished to only allow HTTPS (SSL) to enter my application, and still my application can reach the outside world with "HTTP".
I agree. Here's the link:
subject: Enabled SSL, but how to prevent "HTTP:`\\xxxx"
It's not a secret anymore!