Re: [jetty-users] Jetty allowing non-encrypted traffic over SSL port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Jetty allowing non-encrypted traffic over SSL port

From: Catatonic <cat.atonic.mail@xxxxxxxxx>
Date: Thu, 27 Jun 2013 14:13:18 -0500
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

Unfortunately, upgrading to a newer version of Jetty is not an option for this deployment. Not at this time.

I still believe that this sort of configuration is possible with Jetty 4, but I just can't figure it out.

On Jun 27, 2013, at 1:34 PM, Joakim Erdfelt <joakim@xxxxxxxxxxx> wrote:

I'm confused, did you upgrade to Jetty 7, 8 or 9?

Or are you still on Jetty 4? (a codebase that was retired in 2006)

It will be tough finding anyone with experience in Jetty 4.

We don't even have access to the source code or old binaries of Jetty 4 anymore.

Joakim Erdfelt <joakim@xxxxxxxxxxx>

webtide.com

Developer advice, services and support
from the Jetty & CometD experts

eclipse.org/jetty - cometd.org

On Thu, Jun 27, 2013 at 11:30 AM, Catatonic <cat.atonic.mail@xxxxxxxxx> wrote:

I have a webapp built with a framework (Jacada) that uses Jetty 4 (yes, it’s old) as the web server. It runs on Windows Server 2003.

I have successfully enabled SSL support by setting up an SSL listener. However, I have run into a security issue. A tester, after reaching the site via the secure URL, changed the URL from https to http and was able to continue working. That is, my configuration is allowing non-secured traffic to travel over the SSL port.

I would like to force my SSL listener to only allow secured traffic. Here’s what I’ve tried:

I added the following to [web_app_home_folder]\utils\web\jetty\etc\jetty.xml:

<Call name="addHandler">
    <Arg><New class="org.mortbay.http.handler.HTAccessHandler">
      <Set name="AccessFile">.htaccess</Set>

    </New></Arg>
</Call>

In [web_app_home_folder], I created a file named .htaccess that contains the following:

RewriteEngine On
RewriteCond %{HTTPS} !=on

RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

That did not have any effect. At this point I do not know if my changes to jetty.xml and my .htaccess file are even being detected.

Any ideas on what I might have missed? Is there a better way to get the behavior I want?

Thanks.

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users

Follow-Ups:
- Re: [jetty-users] Jetty allowing non-encrypted traffic over SSL port
  - From: Thomas Becker

References:
- [jetty-users] Jetty allowing non-encrypted traffic over SSL port
  - From: Catatonic
- Re: [jetty-users] Jetty allowing non-encrypted traffic over SSL port
  - From: Joakim Erdfelt

Prev by Date: Re: [jetty-users] Jetty allowing non-encrypted traffic over SSL port
Next by Date: Re: [jetty-users] Jetty allowing non-encrypted traffic over SSL port
Previous by thread: Re: [jetty-users] Jetty allowing non-encrypted traffic over SSL port
Next by thread: Re: [jetty-users] Jetty allowing non-encrypted traffic over SSL port
Index(es):
- Date
- Thread

Breadcrumbs