[jboss-user] [Security & JAAS/JBoss] - Re: https
smeaggie
do-not-reply at jboss.com
Mon Feb 19 10:49:27 EST 2007
you can use a <security-constraint> tag in your web.xml to enforce https connections:
| -- snip --
| <security-constraint>
| <display-name>manager_access</display-name>
| <web-resource-collection>
| <web-resource-name>manager_pages</web-resource-name>
| <description/>
| <url-pattern>/secure/*</url-pattern>
| <http-method>GET</http-method>
| <http-method>POST</http-method>
| <http-method>HEAD</http-method>
| <http-method>PUT</http-method>
| <http-method>OPTIONS</http-method>
| <http-method>TRACE</http-method>
| <http-method>DELETE</http-method>
| </web-resource-collection>
| <auth-constraint>
| <description/>
| <role-name>manager</role-name>
| </auth-constraint>
| <user-data-constraint>
| <description/>
| <transport-guarantee>CONFIDENTIAL</transport-guarantee>
| </user-data-constraint>
| </security-constraint>
| -- snip --
|
the <user-data-constraint> here does the trick with <transport-guarantee> set to CONFIDENTIAL. It'll try to switch to https automaticly now when accessing anything behind /secure on the server. Note this example required the user to have the "manager" role and this requires some more configuration (login config etc).
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4018886#4018886
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4018886
More information about the jboss-user
mailing list