Guarantee mandantary use of SSL in web.xml

Posted on November 5, 2012. Filed under: java/j2EE |


In previous post enable realm in server.xml <Realm>, we have setup a basic Auth, that setup has a security hole, though.

The user is still allowed to connect through http (http://localhost:8080/test-app/hello) instead of https, which makes the web application vulnerable to man-in-the-middle attack.

We want to guarantee that users  are always connected through https (https://localhost:8443/test-app/hello).

The above issue can be easily fixed by including <transport-guarantee>CONFIDENTIAL</transport-guarantee>

If a user attempt to connect through http, the user will be redirect to use SSL/TLS.

— web.xml —

<web-app version=”3.0″

xmlns=”http://java.sun.com/xml/ns/javaee&#8221;

xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance&#8221;

xsi:schemaLocation=”http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd”&gt;

<security-constraint>

<web-resource-collection>

<web-resource-name>test-app</web-resource-name>

<url-pattern>/hello</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>appadmin</role-name>

</auth-constraint>

<user-data-constraint>

        <transport-guarantee>CONFIDENTIAL</transport-guarantee>

    </user-data-constraint>

</security-constraint>

 

<login-config>

<auth-method>BASIC</auth-method>

<realm-name>test-app-realm</realm-name>

</login-config>

</web-app>

Advertisements

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: