Hi Wolfram,
thank you for your quick response. You were right, the transport guarantee
tag was missing I updated my web.xml accordingly and redeployed my webapp
(Actually, I'm using an .ear file which contains my webapp). However, that
didn't solve the problem. It still gives me an HTTP 403 if I want to access
the page. Is there anything else I could try out?
Thanks,
Joerg
PS: I Corrected the subject. Didn't sound right :)
----- Original Message -----
From: "Wolfram Rittmeyer" <w.rittmeyer_at_jsptutorial.org>
To: <users_at_glassfish.dev.java.net>
Sent: Monday, March 24, 2008 10:17 PM
Subject: Re: Question to SSL (HTTPS)
> Joerg Gippert wrote:
>> Hello,
>>
>> I seem to have a problem to understand how exactly the security
>> constraints regarding webpages work. I want several pages of my webapp to
>> be only available using HTTPS (sign up or payment pages). So I have set
>> up my web.xml as follows (almost exactly as shown at Sun's J2EE 5
>> tutorial):
>>
>> <security-constraint>
>> <display-name>Security Constraint</display-name>
>> <web-resource-collection>
>> <web-resource-name>Protected Area</web-resource-name>
>> <url-pattern>/faces/jsp/ssl/*</url-pattern>
>> <http-method>DELETE</http-method>
>> <http-method>GET</http-method>
>> <http-method>POST</http-method>
>> <http-method>PUT</http-method>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>all</role-name>
>> </auth-constraint>
>> </security-constraint>
>>
>
> To enforce the usage of SSL a user-data-constraint-element:
>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
>
> Also the value for all is the asterisk (*) - but then again it would be
> better to omit this element.
>
>
>> Now, that seems to work half way. Usign Firefox, I am asked to accept the
>> certificate. As soon as I accept, I get an "
>> HTTP Status 403 - Access to the requested resource has been denied"
>> error. The URL points to the right page and also using HTTPS. I assume,
>> that I did something wrong with the role-name. And that's the point that
>> I don't really understand. I left the <auth-contraint> out of web.xml but
>> still same error. I don't understand what value this tag should have. I
>> don't have a role configuered and I also don't know where I should do
>> this. I trie out puttin the role names in that I can see in the
>> access.log file but with no success. I understand the J2EE tutorial about
>> login in some one to https protected pages. But to sign up on a website,
>> there simply is no login (that's why you have to sign up 8} ).
>>
>
> Since I missed it once myself: Do you redeploy war-files or do you work
> with a directory-based delpoyment? If you are using the latter you must
> always undeploy the app and then redeploy it. Otherwise configuration
> changes (like changing lines in the web.xml) do not apply.
>
>
> --
> Wolfram Rittmeyer
>
>
>> Can anyone see, what I am doing wrong or point me to a tutorial, that
>> shows how to protect a simple webpage (no login, no fuzz)?
>>
>> Thanks for any reply!
>>
>> Cheers,
>> Joerg
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>