The following section should enforce all clients to use a https connection.
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
What actually happens is that only the index.html page is secured by ssl. So a request like: http://localhost/JAX-RS_Service/ is redirected to https://localhost/JAX-RS_Service/ and the index.html page is displayed. The same is for http://localhost/JAX-RS_Service/index.html
But if I try to request http://localhost/JAX-RS_Service/services/customers/1 , there is no redirection to https, thus everything is sent in plaintext over the wire.
The same is for enforcing authentication
<security-constraint>
<web-resource-collection>
<web-resource-name>Authenticated customers only</web-resource-name>
<url-pattern>/services/customers/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>CUST</role-name>
</auth-constraint>
</security-constraint>
An url-pattern like<url-pattern>/services/*</url-pattern> won't do the job.
Why isn't the <url-pattern>/*</url-pattern> working for subloacations. Is there a way to fix this?
Actually I have no idea why, but the following configuration solved my problem.
The
<user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint>needs to be added in each<security-constraint>otherwise it won't work for JBoss. The interesting thing is that for Tomcat you have to define the<transport-guarantee>CONFIDENTIAL</transport-guarantee>just once a time for the<url-pattern>/*</url-pattern>and everything is secured properly. In my opinion this is much more reasonable!