aspose file tools*
The moose likes JSP and the fly likes How to force the client to use SSL to access JSP pages Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "How to force the client to use SSL to access JSP pages" Watch "How to force the client to use SSL to access JSP pages" New topic
Author

How to force the client to use SSL to access JSP pages

Wappie Erode
Greenhorn

Joined: Aug 17, 2005
Posts: 8
Hi,
I have a webapp deployed on WebLogic server 8.1 SP4. I have the following entry in the web.xml DD.

<security-constraint>
<web-resource-collection>
<web-resource-name>SecureConnection</web-resource-name>
<url-pattern>*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint/>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

I want to ensure that the user accesses the webApp only over SSL. I installed SSL certificates on the server and configured the SSL listen port. However when I try to access the app I get a HTTP 403 error. I tried accessing the application over the non-SSL port and got the same error. I had to roll back the above changes in the DD and then I was able to access the application over the non-SSL port. What am I missing here? The JSPs access EJBs, should I protect the EJBs also in the DD? Please advice.
Thanks,
Wap
David Ulicny
Ranch Hand

Joined: Aug 04, 2004
Posts: 724
I'm not sure, but try
<auth-constraint>*</auth-constraint>

instead of

<auth-constraint/>
I think this one disable everybody from access.


SCJP<br />SCWCD <br />ICSD(286)<br />MCP 70-216
Bosun Bello
Ranch Hand

Joined: Nov 06, 2000
Posts: 1510
This may not exactly solve your problem, but I believe the URL pattern should start with /

so Change the URL pattern from:
<url-pattern>*</url-pattern>

To
<url-pattern>/*</url-pattern>


Bosun (SCJP, SCWCD)
So much trouble in the world -- Bob Marley
Wappie Erode
Greenhorn

Joined: Aug 17, 2005
Posts: 8
Hi,
Thank you so much for your responses. I tried using: <auth-constraint>*</auth-constraint>, but it was prompting me for a username/password. I removed the <auth-constraint> element from web.xml and now all traffic is forced to use SSL. The user is not prompted for username/password.
Thanks,
Wap
 
 
subject: How to force the client to use SSL to access JSP pages