| [jetty-users] Jetty allowing non-encrypted traffic over SSL port |
I have a webapp built with a framework (Jacada) that uses Jetty 4 (yes, it’s old) as the web server. It runs on Windows Server 2003. I have successfully enabled SSL support by setting up an SSL listener. However, I have run into a security issue. A tester, after reaching the site via the secure URL, changed the URL from https to http and was able to continue working. That is, my configuration is allowing non-secured traffic to travel over the SSL port. I would like to force my SSL listener to only allow secured traffic. Here’s what I’ve tried: I added the following to [web_app_home_folder]\utils\web\jetty\etc\jetty.xml: <Call name="addHandler"> <Arg><New class="org.mortbay.http.handler.HTAccessHandler"> <Set name="AccessFile">.htaccess</Set> </New></Arg> </Call> In [web_app_home_folder], I created a file named .htaccess that contains the following: RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] That did not have any effect. At this point I do not know if my changes to jetty.xml and my .htaccess file are even being detected. Any ideas on what I might have missed? Is there a better way to get the behavior I want? Thanks. |