lundi 3 avril 2017

Security Constraint & SSL

Is it necessary to set the security constraint in web.xml if I'm using a loadbalancer to redirect HTTP traffic to HTTPS?

For example, following this post:

<profile>
   <id>local</id>
   <properties>
      <transport.guarantee>NONE</transport.guarantee>
   </properties>
</profile>

<security-constraint>
      <web-resource-collection>
      <web-resource-name>Protected Context</web-resource-name>
        <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
          <transport-guarantee>${transport.guarantee}</transport-guarantee>
      </user-data-constraint>
</security-constraint>

My local environment isn't detecting the profile property for transport.guarantee == NONE, so I keep getting 403.

Is this is even necessary if the loadbalancer is enforcing a secure connection? And if it is, why would the generated web.xml have the correct transport-guarantee value (NONE) from the profile but still deny access?




Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)