2

I know, the answer is the following:

<security-constraint> 
    <web-resource-collection> 
        <web-resource-name>All resources</web-resource-name> 
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

and it works pretty good, but only if it is the only one security-constraint in the web.xml.

As soon as I add a second security-constraint, something like this:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Admin section</web-resource-name>
        <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>USER</role-name>
    </auth-constraint>
</security-constraint>

redirection stops working for URLs that point to the admin section (in this case the application shows a login form).

Is there a way to enable redirection globally via web.xml or wildfly configuration?

PS: tested with wildfly 8.2

admdrew
  • 3,790
  • 4
  • 27
  • 39
Alf
  • 2,291
  • 1
  • 28
  • 34
  • You can configure your server to force HTTPS – Rafael Dec 04 '14 at 19:21
  • @Rafael: in what manner? – Alf Dec 04 '14 at 21:47
  • http://stackoverflow.com/questions/567434/force-https-for-entire-server-domain – Rafael Dec 04 '14 at 22:20
  • @Rafael: that link is about Apache url rewriting. My question is about servlet or wildfly configuration. – Alf Dec 04 '14 at 22:45
  • http://stackoverflow.com/questions/9171090/force-a-request-from-https-to-http-in-httpservlet – Rafael Dec 05 '14 at 00:10
  • 1
    @Rafael: it is not so simple. That method works only if you use default ports (80 and 443) or if you already know the ports you have to use. That information is stored in the standalone.xml but web apps have no access to it. – Alf Dec 05 '14 at 13:59

1 Answers1

1

Did you try to add "user-data-constraint" to the second "security-constraint"?

JuliuszJ
  • 119
  • 1
  • 7
  • 1
    It's not worded correctly to look like an answer, but this is a valid answer to the question. The `CONFIDENTIAL` property is what is used for redirection with this method in WildFly, as [seen in this thread](https://developer.jboss.org/thread/235190) on JBoss.org. @JuliuszJ - it might be a good idea to reword your answer. Use the same link I have if you think it's relevant. – Mike Jun 24 '15 at 21:23
  • 2
    This solution does not solve the problem. The first security constraint should act as a global https "redirector". Every time I type an http url in the browser I must be redirected to an https url. What happen if I add a new security constraint and missing to add user-data-constraint section? This is error prone. So, the question is: Is there a way to enable redirection **globally** via web.xml or wildfly configuration? – Alf Jun 26 '15 at 12:56