Force Https in Websphere 6.1

Question

Hi

I was wondering how i can force a user who has requested a page using Http to use the secure https version?

I am using Websphere 6.1 as my application server and Rad 7 as my development environment

Thanks Damien

Answer 1

Websphere is not a complete http server. It does have 'Transport Chains', which act like an HTTP Server.

Normally you will put a HTTP server in front. IBM provides IHS (IBM HTTP Server) which is a lightly modified Apache HTTP Server. The HTTP Server is configured with the httpd.conf file. There you add redirects in such a way that request for http are redirected to https.

Maybe you can give some detailed information about your infrastructure.

Answer 2

One way that you could do this within your application rather than in the server configuration would be to use a Filter (specified in your web.xml) to check if ServletRequest.getScheme() is "http" or "https", and re-direct the user to the appropriate URL (using HttpServletResponse.sendRedirect(String url)).

Answer 3

I agree. I think using a Filter will achieve this. Here is a Filter I wrote for load balancing and port redirection but it should be easy to figure out how to edit it to fit your needs.

public class RequestWrapperFilter implements Filter {

public void doFilter(ServletRequest servletRequest,
  ServletResponse servletResponse, FilterChain filterChain)
  throws IOException, ServletException {

 HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
 HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;

 String requestWrapperClassName = (String) (httpRequest
   .getAttribute(LoadBalancerRequestWrapper.class.getName()));

 String initiatingServerName = httpRequest.getServerName();

 if (requestWrapperClassName == null
   && initiatingServerName.equals(loadBalancerHostName)) {

  httpRequest = new LoadBalancerRequestWrapper(AuthenticationUtil
    .getHttpServletRequest(httpRequest));
 }

 filterChain.doFilter(httpRequest, httpResponse);
}

}

/**
 * The custom implementation of the request wrapper. It simply overrides the
 * getScheme() and getServerPort() methods to perform the redirect
 * filtering.
 * 
 * 
 */
private static class LoadBalancerRequestWrapper extends
  HttpServletRequestWrapper {

 /**
  * Default Constructor. Simply declares the Wrapper as injected.
  * 
  * @param httpServletRequest
  *            the app-server HttpServletRequest.
  * 
  */
 public LoadBalancerRequestWrapper(HttpServletRequest httpServletRequest) {
  super(httpServletRequest);
 }

 /**
  * The overridden scheme.
  * 
  */
 public final String getScheme() {
  if (loadBalancerHttpScheme.equals(EMPTY_STRING)) {
   return super.getScheme();
  }

  return loadBalancerHttpScheme;
 }
}

}