Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Jetty allowing non-encrypted traffic over SSL port

Yes, Jetty 4, from the dim and distant past.

I saw stuff on the web about the security-constraint, but, as it happens, there is no web.xml in my installation, unless it's buried in one of the Jetty jar files. Here are all of the web.xml files I have in web_app_home_folder]\utils\web\jetty\etc:

admin.xml
demo.xml
demoSSO.xml
j2me.xml
jetty.xml
proxy.xml
stresstest.xml
watchdog.xml
webdefault.xml

So maybe I should just create a web.xml in that folder and add the security-constraint to it?


On Jun 27, 2013, at 2:16 PM, Thomas Becker <tbecker@xxxxxxxxxxx> wrote:

Add a security-constraint to your application's web.xml. That should even work with jetty 4 (Jesus!). Google for the details.

Am 27.06.2013 21:13 schrieb "Catatonic" <cat.atonic.mail@xxxxxxxxx>:
>
> Unfortunately, upgrading to a newer version of Jetty is not an option for this deployment. Not at this time.
>
> I still believe that this sort of configuration is possible with Jetty 4, but I just can't figure it out.
>
>
> On Jun 27, 2013, at 1:34 PM, Joakim Erdfelt <joakim@xxxxxxxxxxx> wrote:
>
> I'm confused, did you upgrade to Jetty 7, 8 or 9?
> Or are you still on Jetty 4? (a codebase that was retired in 2006)
>
> It will be tough finding anyone with experience in Jetty 4.
> We don't even have access to the source code or old binaries of Jetty 4 anymore.
>
>
> --
> Joakim Erdfelt <joakim@xxxxxxxxxxx>
> webtide.com
> Developer advice, services and support
> from the Jetty & CometD experts
> eclipse.org/jetty - cometd.org
>
>
> On Thu, Jun 27, 2013 at 11:30 AM, Catatonic <cat.atonic.mail@xxxxxxxxx> wrote:
>>
>> I have a webapp built with a framework (Jacada) that uses Jetty 4 (yes, it’s old) as the web server. It runs on Windows Server 2003.
>>  
>> I have successfully enabled SSL support by setting up an SSL listener. However, I have run into a security issue. A tester, after reaching the site via the secure URL, changed the URL from https to http and was able to continue working. That is, my configuration is allowing non-secured traffic to travel over the SSL port.
>>  
>> I would like to force my SSL listener to only allow secured traffic. Here’s what I’ve tried:
>>  
>> I added the following to [web_app_home_folder]\utils\web\jetty\etc\jetty.xml:
>>  
>>   <Call name="addHandler">
>>     <Arg><New class="org.mortbay.http.handler.HTAccessHandler">
>>       <Set name="AccessFile">.htaccess</Set>
>>     </New></Arg>
>>   </Call>
>>  
>> In [web_app_home_folder], I created a file named .htaccess that contains the following:
>>  
>> RewriteEngine On
>> RewriteCond %{HTTPS} !=on
>> RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
>>  
>> That did not have any effect. At this point I do not know if my changes to jetty.xml and my .htaccess file are even being detected.
>>  
>> Any ideas on what I might have missed? Is there a better way to get the behavior I want?
>>  
>> Thanks.
>>  
>>
>> _______________________________________________
>> jetty-users mailing list
>> jetty-users@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>
>
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-users
>

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users

Back to the top