I am trying to use always https in my website. I have the following in my web.xml file:
<security-constraint>
<display-name>All access - GET and POST over SSL</display-name>
<web-resource-collection>
<web-resource-name>Common area - GET and POST</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method-omission>GET</http-method-omission>
<http-method-omission>POST</http-method-omission>
</web-resource-collection>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
However it doesn't work. Any idea of what I need to do?
You are explicitly allowing the GET and POST method to access your website in http with <http-method-omission> tag.
I think you meant :
<http-method>GET</http-method>
<http-method>POST</http-method>
But it would be better to just omit any declaration of HTTP method, as you surely want to force https for all of them.