Win a copy of Head First Android this week in the Android forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • Rob Spoor
  • Bear Bibeault
Saloon Keepers:
  • Jesse Silverman
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Piet Souris
  • Al Hobbs
  • salvin francis

How to force the client to use SSL to access JSP pages

 
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I have a webapp deployed on WebLogic server 8.1 SP4. I have the following entry in the web.xml DD.

<security-constraint>
<web-resource-collection>
<web-resource-name>SecureConnection</web-resource-name>
<url-pattern>*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint/>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

I want to ensure that the user accesses the webApp only over SSL. I installed SSL certificates on the server and configured the SSL listen port. However when I try to access the app I get a HTTP 403 error. I tried accessing the application over the non-SSL port and got the same error. I had to roll back the above changes in the DD and then I was able to access the application over the non-SSL port. What am I missing here? The JSPs access EJBs, should I protect the EJBs also in the DD? Please advice.
Thanks,
Wap
 
Ranch Hand
Posts: 724
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm not sure, but try
<auth-constraint>*</auth-constraint>

instead of

<auth-constraint/>
I think this one disable everybody from access.
 
Ranch Hand
Posts: 1512
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This may not exactly solve your problem, but I believe the URL pattern should start with /

so Change the URL pattern from:
<url-pattern>*</url-pattern>

To
<url-pattern>/*</url-pattern>
 
Wappie Erode
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
Thank you so much for your responses. I tried using: <auth-constraint>*</auth-constraint>, but it was prompting me for a username/password. I removed the <auth-constraint> element from web.xml and now all traffic is forced to use SSL. The user is not prompted for username/password.
Thanks,
Wap
 
You showed up just in time for the waffles! And this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
reply
    Bookmark Topic Watch Topic
  • New Topic