views:

40

answers:

1

I am using JBoss 4.2. And I'd like a certain URL pattern to be visited through HTTPS. I used self-certificated keystore file,and the problem is: once the HTTPS url is visited, all others urls in the site are all go through HTTPS, what's the problem?

updated: I found out the problem. I used relative path to references to the resources, so once the url change to HTTPS, all the subsequent links are all started with HTTPS, so do I have to use absolute path in HTTPS web pages?

My configuration is like this: in web.xml :

<security-constraint>
    <web-resource-collection>
        <web-resource-name>artists.jsp</web-resource-name>
        <url-pattern>/artists.*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

in server.xml :

<Connector port="8443" 
   scheme="https"     
   secure="true"    
   clientAuth="false"  
   keystoreFile="${jboss.server.home.dir}/conf/server.keystore"  
   keystorePass="changeit"  
   sslProtocol = "TLS" /> 
+1  A: 

Unfortunatly yes, since an URL start with the protocol (http,https) you need absolute paths to switch between them.

My recommendation is: write a static method which formats your URLs fuly quallified and introduce some nameing convention like all pages starting with i.g. _sec are meant to be used with https.

Pseudocode (not tested just to illustrate the basic idea):

public static String fmtURL(String relpath) {
    String url = relparth.startsWith( "_sec" ) ? "https://":"http://";
    url += hostname;                        // from a configfile
    if ( relparth.startsWith( "_sec" ) {
        url += ":443";
    }
    url += relpath;
    return url;
}
stacker