Guarantee mandantary use of SSL in web.xml

Posted on November 5, 2012. Filed under: java/j2EE |

In previous post enable realm in server.xml <Realm>, we have setup a basic Auth, that setup has a security hole, though.

The user is still allowed to connect through http (http://localhost:8080/test-app/hello) instead of https, which makes the web application vulnerable to man-in-the-middle attack.

We want to guarantee that users  are always connected through https (https://localhost:8443/test-app/hello).

The above issue can be easily fixed by including <transport-guarantee>CONFIDENTIAL</transport-guarantee>

If a user attempt to connect through http, the user will be redirect to use SSL/TLS.

— web.xml —

<web-app version=”3.0″























Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: