How to force redirect to HTTPS when application has no web.xml

Question

I'm developing a web application using Servlet 3.x and I do not have web.xml instead I use the configuration annotation. I want to restrict all traffic to my application thats deployed in Openshift to be HTTPS. I found this article on how to do it in Tomcat(Jboss EWS).

https://help.openshift.com/hc/en-us/articles/202398810-How-to-redirect-traffic-to-HTTPS-

However the last step involves me changing the web.xml which I do not have. When I tried to find alternatives I could find articles on Servlet security. Can someone help me with the translation for this code snippet below?

A sample security-constraint directive in repo/src/main/webapp/WEB-INF/web.xml looks like:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Answer 1

Currently it is not possible to map <url-pattern>/*</url-pattern> using @ServletSecurity annotation. It will only apply to the the patterns defined in the @WebServlet.

You could define annotations like this:

@ServletSecurity(@HttpConstraint(transportGuarantee = 
TransportGuarantee.CONFIDENTIAL))
@WebServlet(”/SSLServlet”)
public class SSLProtected extends HttpServlet {
}

However it would only make SSL requirement for accessing that servlet (the /SSLServlet pattern), not whole application. You could define such annotations for all your servlets, but it's much more error prone than using web.xml. That's why it is still recommended to use web.xml instead of annotations to define security constraints.

Just addweb.xml to WEB-INF folder in your application with the fragment you provided and you will be good. Any reasons why you cannot use web.xml?