The following section should enforce all clients to use a https connection.
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
What actually happens is that only the index.html page is secured by ssl. So a request like: http://localhost/JAX-RS_Service/
is redirected to https://localhost/JAX-RS_Service/
and the index.html page is displayed. The same is for http://localhost/JAX-RS_Service/index.html
But if I try to request http://localhost/JAX-RS_Service/services/customers/1
, there is no redirection to https, thus everything is sent in plaintext over the wire.
The same is for enforcing authentication
<security-constraint>
<web-resource-collection>
<web-resource-name>Authenticated customers only</web-resource-name>
<url-pattern>/services/customers/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>CUST</role-name>
</auth-constraint>
</security-constraint>
An url-pattern like<url-pattern>/services/*</url-pattern>
won't do the job.
Why isn't the <url-pattern>/*</url-pattern>
working for subloacations. Is there a way to fix this?
Actually I have no idea why, but the following configuration solved my problem.
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL Secured WebService</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Authenticated customers only</web-resource-name>
<url-pattern>/services/customers/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>CUST</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
The <user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
needs to be added in each <security-constraint>
otherwise it won't work for JBoss. The interesting thing is that for Tomcat you have to define the <transport-guarantee>CONFIDENTIAL</transport-guarantee>
just once a time for the <url-pattern>/*</url-pattern>
and everything is secured properly. In my opinion this is much more reasonable!