Search code examples
ssljbossjax-rsenforcementsecurity-constraint

How to enforce https connection for all sub locations? JAX-RS JBoss


The following section should enforce all clients to use a https connection.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>securedapp</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
    </user-data-constraint>
</security-constraint>

What actually happens is that only the index.html page is secured by ssl. So a request like: http://localhost/JAX-RS_Service/ is redirected to https://localhost/JAX-RS_Service/ and the index.html page is displayed. The same is for http://localhost/JAX-RS_Service/index.html But if I try to request http://localhost/JAX-RS_Service/services/customers/1 , there is no redirection to https, thus everything is sent in plaintext over the wire.

The same is for enforcing authentication

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Authenticated customers only</web-resource-name>
        <url-pattern>/services/customers/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>CUST</role-name>
    </auth-constraint>
</security-constraint>

An url-pattern like<url-pattern>/services/*</url-pattern> won't do the job.

Why isn't the <url-pattern>/*</url-pattern> working for subloacations. Is there a way to fix this?


Solution

  • Actually I have no idea why, but the following configuration solved my problem.

        <security-constraint>
        <web-resource-collection>
            <web-resource-name>SSL Secured WebService</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
        </user-data-constraint>
    </security-constraint>
    
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Authenticated customers only</web-resource-name>
            <url-pattern>/services/customers/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>CUST</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
        </user-data-constraint>
    </security-constraint>
    

    The <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> needs to be added in each <security-constraint> otherwise it won't work for JBoss. The interesting thing is that for Tomcat you have to define the <transport-guarantee>CONFIDENTIAL</transport-guarantee> just once a time for the <url-pattern>/*</url-pattern> and everything is secured properly. In my opinion this is much more reasonable!