3

I'm trying to enable SSL on a very old J2EE application I support. The application runs within WebSpehre 6.1. I've enabled application security in the WAS profile running the application, but the web.xml config below still lets users access the site using HTTP or HTTPS.

I've tried several different url patterns, but none seem to work:

/*
/jsp/*
/gatewayRMIWEB/*

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app id="WebApp">
    <display-name>gatewayRMIWEB</display-name>
    <filter>
        <filter-name>LoginFilter</filter-name>
        <display-name>LoginFilter</display-name>
        <filter-class>com.dc.gateway.servlet.LoginFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>LoginFilter</filter-name>
        <url-pattern>/jsp/*</url-pattern>
    </filter-mapping>
    <servlet>
        <servlet-name>GatewayClient</servlet-name>
        <display-name>GatewayClient</display-name>
        <servlet-class>com.dc.gateway.servlet.GatewayClient</servlet-class>
        <init-param>
            <param-name>log4j-init-file</param-name>
            <param-value>/WEB-INF/logger.lcf</param-value>
        </init-param>
    </servlet>
    <servlet>
        <servlet-name>SecurityCheck</servlet-name>
        <display-name>SecurityCheck</display-name>
        <servlet-class>com.dc.gateway.servlet.SecurityCheck</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>Logoff</servlet-name>
        <display-name>Logoff</display-name>
        <servlet-class>com.dc.gateway.servlet.Logoff</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>Settings</servlet-name>
        <display-name>Settings</display-name>
        <servlet-class>com.dc.gateway.servlet.Settings</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>changepassword</servlet-name>
        <display-name>changepassword</display-name>
        <servlet-class>com.dc.gateway.servlet.changepassword</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>subdetailupdate</servlet-name>
        <display-name>subdetailupdate</display-name>
        <servlet-class>com.dc.gateway.servlet.subdetailupdate</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>subscriberdelete</servlet-name>
        <display-name>subscriberdelete</display-name>
        <servlet-class>com.dc.gateway.servlet.subscriberdelete</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>subscriberdetailedit</servlet-name>
        <display-name>subscriberdetailedit</display-name>
        <servlet-class>com.dc.gateway.servlet.subscriberdetailedit</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>subscriberedit</servlet-name>
        <display-name>subscriberedit</display-name>
        <servlet-class>com.dc.gateway.servlet.subscriberedit</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>subscribernew</servlet-name>
        <display-name>subscribernew</display-name>
        <servlet-class>com.dc.gateway.servlet.subscribernew</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>TrnlogPurge</servlet-name>
        <display-name>TrnlogPurge</display-name>
        <servlet-class>com.dc.gateway.servlet.TrnlogPurge</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>As400Pool</servlet-name>
        <display-name>As400Pool</display-name>
        <servlet-class>com.dc.gateway.servlet.As400Pool</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>Resubmit</servlet-name>
        <display-name>Resubmit</display-name>
        <servlet-class>com.dc.gateway.servlet.Resubmit</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>SearchPrepare</servlet-name>
        <display-name>SearchPrepare</display-name>
        <servlet-class>com.dc.gateway.servlet.SearchPrepare</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>GatewayClient</servlet-name>
        <url-pattern>/GatewayClient</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>SecurityCheck</servlet-name>
        <url-pattern>/SecurityCheck</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>Logoff</servlet-name>
        <url-pattern>/Logoff</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>Settings</servlet-name>
        <url-pattern>/Settings</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>changepassword</servlet-name>
        <url-pattern>/changepassword</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>subdetailupdate</servlet-name>
        <url-pattern>/subdetailupdate</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>subscriberdelete</servlet-name>
        <url-pattern>/subscriberdelete</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>subscriberdetailedit</servlet-name>
        <url-pattern>/subscriberdetailedit</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>subscriberedit</servlet-name>
        <url-pattern>/subscriberedit</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>subscribernew</servlet-name>
        <url-pattern>/subscribernew</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>TrnlogPurge</servlet-name>
        <url-pattern>/TrnlogPurge</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>As400Pool</servlet-name>
        <url-pattern>/As400Pool</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>Resubmit</servlet-name>
        <url-pattern>/Resubmit</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>SearchPrepare</servlet-name>
        <url-pattern>/SearchPrepare</url-pattern>
    </servlet-mapping>
    <welcome-file-list>
        <welcome-file>jsp/login.jsp</welcome-file>
    </welcome-file-list>
    <resource-ref id="ResourceRef_1084824065465">
        <res-ref-name>jdbc/cg</res-ref-name>
        <res-type>javax.sql.DataSource</res-type>
        <res-auth>Container</res-auth>
        <res-sharing-scope>Shareable</res-sharing-scope>
    </resource-ref>
    <env-entry>
        <description>soft-coded datasource jndi name</description>
        <env-entry-name>datasource-jndi-cms</env-entry-name>
        <env-entry-value>jdbc/cg</env-entry-value>
        <env-entry-type>java.lang.String</env-entry-type>
    </env-entry>
    <env-entry>
        <description>soft-coded datasource jndi name</description>
        <env-entry-name>datasource-jndi-erp</env-entry-name>
        <env-entry-value>jdbc/erp</env-entry-value>
        <env-entry-type>java.lang.String</env-entry-type>
    </env-entry>

    <security-constraint>
        <display-name>gatewayRMIWEB</display-name>
    <web-resource-collection>
        <web-resource-name>allresources</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
</web-app>
Michael Sobczak
  • 1,045
  • 1
  • 24
  • 45

1 Answers1

2

If you want to protect the whole application the following pattern should do the trick:

<url-pattern>/*</url-pattern>

At least this works on mine 8.5.5

<security-constraint>
    <display-name>allApp</display-name>
    <web-resource-collection>
        <web-resource-name>allresources</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Did you restarted the server after enabling application security?

Gas
  • 17,601
  • 4
  • 46
  • 93
  • I believe I tried both of those, but let me try again. – Michael Sobczak Sep 12 '14 at 02:16
  • Application security is enabled. I revised the web.xml to include a display-name in the security-constraint, and also the url-pattern. The app still allows http access to the pages. I must be missing something, but what? – Michael Sobczak Sep 12 '14 at 13:30
  • @MichaelSobczak It looks like somehow this is ignored... You could try to add and to see if you will be prompt for authorization. Just to make sure that security is enforced. Or enable security trace. – Gas Sep 12 '14 at 16:52
  • @MichaelSobczak I've tested it on 6.1.0.31 and it works as designed, correctly redirecting to Https. Maybe try one more time to disable administrative and application security, save. Stop/Start. Ensure that security is disabled (eg accessing console). Reenable administrative and application security. Stop/Start. Also verify that web.xml is correctly updated in the istalledApps\cell\application\webmodule\WEB-INF – Gas Sep 16 '14 at 22:35
  • I'll try this out next week. I have mandatory training all this week. I appreciate your help with this. – Michael Sobczak Sep 17 '14 at 02:07
  • 1
    The solution was to do three things: update web.xml, enable Application Security in the console and also install and configure the WebSphere plugin for Apache Web Server. Works like a charm now! – Michael Sobczak Sep 29 '14 at 16:06
  • @MichaelSobczak Good, nice to hear that :) – Gas Sep 29 '14 at 16:22