Reputation: 461
websphere liberty - Force https for site without user authentication
I want to configure websphere liberty profile to serve pages over https only. In particular, requests to http should either be blocked, or redirected to https.
I have set up <security-constraint> in web.xml as follows:
<security-constraint>
<display-name>UserConstraint</display-name>
<web-resource-collection>
<web-resource-name>UserCollection</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I have also added [ssl-1.0] feature and a default key store. This causes HTTPS to work correctly, however all pages are still accessible over HTTP (it does not redirect or block).
Next I added the feature [appSecurity-2.0], and this causes HTTP to redirect to HTTPS correctly. However, I see the following error in the console:
[ERROR ] CWWKS3005E: A configuration exception has occurred. No UserRegistry implementation service is available. Ensure that you have a user registry configured.
As mentioned, I do not have a user registry set up in server.xml, as the authentication is done in the application itself. What should be done to resolve this error, without changing the application to use User Registry?
Also, is there any other configuration needed in web.xml, to prevent access over HTTP? I would have thought that the <security-constraint> was enough for that?
EDIT: I am sending a Basic Auth header for doing the authentication, in case it was unclear.
Upvotes: 2
Views: 5682
Answers (3)
Reputation: 1293
In your web.xml add:
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
That will redirect to https.
Upvotes: 0
Reputation: 18020
Add <basicRegistry></basicRegistry> to your server.xml. It will not be used by your application since your security-constraint doesn't define any auth-constraint.
Regarding your other comment:
This might be a result of server trying to interpret your basic auth header and not finding user in the registry.
However, if you are using basic authentication anyway, you could benefit from allowing server to create that request by protecting your web module and instead of using Basic registry, implement your custom registry as Liberty feature see Developing a custom user registry for the Liberty profile
Upvotes: 2
Reputation: 3176
Simplest thing to do is to disable the http port in the server.xml:
<httpEndpoint id="defaultHttpEndpoint" httpPort="-1"/>
Upvotes: 4
Related Questions
- How to require client certificate authentication in only specific java servlets?
- Liberty Exception SSLv3
- How to make welcome page unprotected for form based authentication in websphere
- How to make "HTTPS redirect" work on WebSphere Application Server Liberty Profile?
- IBM Liberty client certificate authentication
- HttpsUrlConnection using KeyStore instead of TrustStore with WebSphere Liberty Profile
- Liberty Profile 8.5.5.6 - SSL Configuration not working
- Setup Admin Center without https & username password
- Outbound SSL connection in WLP
- Disable SSL on Websphere Application Server