Redirect all HTTP request to HTTPS request without code change

Question

My web application runs in shared server(Websphere), Now my application runs for both the HTTP and HTTPS request . Usually when the application runs it shows like below https://localhost:9443/index.jsp. If the user try to change the https to http and submit the request, server accepts the request. I need to avoid the scenario and make the application to support only for https request on application level. Kindly anyone help me out.

Answer 1

Verify that both global and application security are enabled in the WebSphere admin console.

Answer 2

An alternative for denying user non-https connection is to simply delete http transport chain; Go to Application servers > your server > Web container transport chains, select WCInboundDefault and click delete. Now you are left only with WCInboundDefaultSecure transport chain, which listens on SSL port.

Another alternative equally effective is to remove host alias for you non-https port at Virtual Hosts > default_host > Host Aliases- this feels like a less brutal configuration change :)

If you prefer redirection over restriction, I suggest you do it before you hit application server, for example at web server or load balancer. If you're using Apache HTTP server or IBM HTTP Server in front of WAS, you may manage the redirect with mod_rewrite.

Answer 3

<security-constraint>
<web-resource-collection>
    <web-resource-name>https</web-resource-name>
    <description>No Description</description>
    <url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
    <description>No Description</description>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

Add the above user-data-constraint in your web.xml. Which will redirect all the http request to https.