This week's book giveaway is in the OCAJP forum.
We're giving away four copies of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) and have Khalid A Mughal & Rolf W Rasmussen on-line!
See this thread for details.
Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to force the client to use SSL to access JSP pages

 
Wappie Erode
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I have a webapp deployed on WebLogic server 8.1 SP4. I have the following entry in the web.xml DD.

<security-constraint>
<web-resource-collection>
<web-resource-name>SecureConnection</web-resource-name>
<url-pattern>*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint/>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

I want to ensure that the user accesses the webApp only over SSL. I installed SSL certificates on the server and configured the SSL listen port. However when I try to access the app I get a HTTP 403 error. I tried accessing the application over the non-SSL port and got the same error. I had to roll back the above changes in the DD and then I was able to access the application over the non-SSL port. What am I missing here? The JSPs access EJBs, should I protect the EJBs also in the DD? Please advice.
Thanks,
Wap
 
David Ulicny
Ranch Hand
Posts: 724
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not sure, but try
<auth-constraint>*</auth-constraint>

instead of

<auth-constraint/>
I think this one disable everybody from access.
 
Bosun Bello
Ranch Hand
Posts: 1511
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This may not exactly solve your problem, but I believe the URL pattern should start with /

so Change the URL pattern from:
<url-pattern>*</url-pattern>

To
<url-pattern>/*</url-pattern>
 
Wappie Erode
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
Thank you so much for your responses. I tried using: <auth-constraint>*</auth-constraint>, but it was prompting me for a username/password. I removed the <auth-constraint> element from web.xml and now all traffic is forced to use SSL. The user is not prompted for username/password.
Thanks,
Wap
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic