Force Https in Websphere 6.1
https://stackoverflow.com/questions/132921
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I was wondering how i can force a user who has requested a page using Http to use the secure https version?
I am using Websphere 6.1 as my application server and Rad 7 as my development environment
Thanks Damien
Solution
One way that you could do this within your application rather than in the server configuration would be to use a Filter (specified in your web.xml) to check if ServletRequest.getScheme() is "http" or "https", and re-direct the user to the appropriate URL (using HttpServletResponse.sendRedirect(String url)).
OTHER TIPS
You can add the following entry in your web.xml and it will make sure all requests are converted to https
<!--********************************
*** SSL Security Constraint ***
*****************************-->
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!--********************************* -->
Websphere is not a complete http server. It does have 'Transport Chains', which act like an HTTP Server.
Normally you will put a HTTP server in front. IBM provides IHS (IBM HTTP Server) which is a lightly modified Apache HTTP Server. The HTTP Server is configured with the httpd.conf file. There you add redirects in such a way that request for http are redirected to https.
Maybe you can give some detailed information about your infrastructure.
I agree. I think using a Filter will achieve this. Here is a Filter I wrote for load balancing and port redirection but it should be easy to figure out how to edit it to fit your needs.
public class RequestWrapperFilter implements Filter {
public void doFilter(ServletRequest servletRequest,
ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;
String requestWrapperClassName = (String) (httpRequest
.getAttribute(LoadBalancerRequestWrapper.class.getName()));
String initiatingServerName = httpRequest.getServerName();
if (requestWrapperClassName == null
&& initiatingServerName.equals(loadBalancerHostName)) {
httpRequest = new LoadBalancerRequestWrapper(AuthenticationUtil
.getHttpServletRequest(httpRequest));
}
filterChain.doFilter(httpRequest, httpResponse);
}
}
/**
* The custom implementation of the request wrapper. It simply overrides the
* getScheme() and getServerPort() methods to perform the redirect
* filtering.
*
*
*/
private static class LoadBalancerRequestWrapper extends
HttpServletRequestWrapper {
/**
* Default Constructor. Simply declares the Wrapper as injected.
*
* @param httpServletRequest
* the app-server HttpServletRequest.
*
*/
public LoadBalancerRequestWrapper(HttpServletRequest httpServletRequest) {
super(httpServletRequest);
}
/**
* The overridden scheme.
*
*/
public final String getScheme() {
if (loadBalancerHttpScheme.equals(EMPTY_STRING)) {
return super.getScheme();
}
return loadBalancerHttpScheme;
}
}
}
