• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

JBOSS web logon not redirecting from port 8080 to 8443 at login

 
G King
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
All, I have successfully set up JBOSS to accept either port 8080 or 8443. However, the port 8080 connections do not redirect to 8443 for logon authentication. Any help is greatly appreciated!

<Connector port="8080" address="${jboss.bind.address}"
maxThreads="250" maxHttpHeaderSize="8192"
emptySessionPath="true" protocol="HTTP/1.1"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" compression="on" compressionMinSize="4096"
compressionMimeType="text/html,text/xml,text/plain,text/javascript,text/css"
disableUploadTimeout="true" />

<Connector port="8443" address="${jboss.bind.address}"
maxThreads="250" minSpareThreads="5" maxSpareThreads="75"
maxHttpHeaderSize="8192" emptySessionPath="true" protocol="HTTP/1.1"
enableLookups="true" scheme="https" secure="true" SSLEnabled="true" acceptCount="100"
connectionTimeout="20000" compression="on" compressionMinSize="4096"
compressionMimeType="text/html,text/xml,text/plain,text/javascript,text/css"
disableUploadTimeout="true" keystoreFile="path_to_keystore"
keystorePass="passwd" clientAuth="false" sslProtocol="TLS" />
 
Jaikiran Pai
Marshal
Pie
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Your web.xml's security configuration part also plays a role in this. What does your web.xml look like?
 
G King
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is there a specific stanza I can target for you? I found nothing on a course search while looking for CONFIDENTIAL declarations, 8080, 8443, or even https. Searching on security, I am only finding elements associated with role based security rather than a page level authentication security constraint.
 
G King
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
UPDATE: I did find a number of the fillowing entries: <transport-guarantee>NONE</transport-guarantee>
I understand that I will want to modify that to <transport-guarantee>CONFIDENTIAL</transport-guarantee> for the target page. In my case I only want the initial logon to be redirected to 8443 with a subsequent return to 8080 for follow-on pages. Can I assume then that I will need to identify a specific point in the web.xml file? If so, what might I be looking for.
 
G King
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have determined that setting NONE to CONFIDENTIAL in the following will force the redirect from 8080 to 8443. However, I do not return to 8080 for the follow-on pages. I expect this may be due to the nested "url-pattern" elements.

<security-constraint>
<web-resource-collection>
<web-resource-name>NGS PROTECTED WEB</web-resource-name>
<description>All jsp's below this level are protected by authentication</description>
<url-pattern>//jsp/core/default.jsp</url-pattern>
<url-pattern>/jsp/*</url-pattern>
.
.
.
</web-resource-collection>
<auth-constraint>
<role-name>NGS_USER</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

How would I extract out and apply <transport-guarantee>NONE</transport-guarantee> to just <url-pattern>//jsp/core/default.jsp leaving the others as NONE?
 
G King
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
CORRECTION ...

How would I extract out and apply <transport-guarantee>CONFIDENTIAL</transport-guarantee> to just <url-pattern>//jsp/core/default.jsp leaving the others as NONE?
 
Jaikiran Pai
Marshal
Pie
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I haven't given it a try, but the XSD of web.xml tells me that you can have multiple security-constraint elements in the web.xml file. So you can try having 2 security-constraint elements one with CONFIDENTIAL transport-guarantee and one with NONE and then map it to the correct url-pattern.
 
G King
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I saw that and did in fact make an attempt. It did not work. The page defaulted to the "NONE" constraint. This may have been an issue related to my method of approach.

Basically, I inserted a new security constraint stanza above the existing one and maintained the format other than naming.

<security-constraint>
<web-resource-collection>
<web-resource-name>NGS SSL WEB</web-resource-name>
<description>Initial level protected by SSL authentication</description>
<url-pattern>//jsp/core/default.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>NGS_USER</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

I then removed the base URL element from the original stanza:

<security-constraint>
<web-resource-collection>
<web-resource-name>NGS PROTECTED WEB</web-resource-name>
<description>All jsp's below this level are protected by authentication</description>

<url-pattern>//jsp/core/default.jsp</url-pattern> <===DELETED THIS LINE

<url-pattern>/jsp/*</url-pattern>
.
.
.
</web-resource-collection>
<auth-constraint>
<role-name>NGS_USER</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

 
Sahil Makhija
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
G King wrote:I saw that and did in fact make an attempt. It did not work. The page defaulted to the "NONE" constraint. This may have been an issue related to my method of approach.

Basically, I inserted a new security constraint stanza above the existing one and maintained the format other than naming.

<security-constraint>
<web-resource-collection>
<web-resource-name>NGS SSL WEB</web-resource-name>
<description>Initial level protected by SSL authentication</description>
<url-pattern>//jsp/core/default.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>NGS_USER</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

I then removed the base URL element from the original stanza:

<security-constraint>
<web-resource-collection>
<web-resource-name>NGS PROTECTED WEB</web-resource-name>
<description>All jsp's below this level are protected by authentication</description>

<url-pattern>//jsp/core/default.jsp</url-pattern> <===DELETED THIS LINE

<url-pattern>/jsp/*</url-pattern>
.
.
.
</web-resource-collection>
<auth-constraint>
<role-name>NGS_USER</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>





Hi, were you able to configure how to use https on just the login page and all other pages with http?
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic