I'm trying to enable SSL on a very old J2EE application I support. The application runs within WebSpehre 6.1. I've enabled application security in the WAS profile running the application, but the web.xml config below still lets users access the site using HTTP or HTTPS.
I've tried several different url patterns, but none seem to work:
/*
/jsp/*
/gatewayRMIWEB/*
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app id="WebApp">
<display-name>gatewayRMIWEB</display-name>
<filter>
<filter-name>LoginFilter</filter-name>
<display-name>LoginFilter</display-name>
<filter-class>com.dc.gateway.servlet.LoginFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>LoginFilter</filter-name>
<url-pattern>/jsp/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>GatewayClient</servlet-name>
<display-name>GatewayClient</display-name>
<servlet-class>com.dc.gateway.servlet.GatewayClient</servlet-class>
<init-param>
<param-name>log4j-init-file</param-name>
<param-value>/WEB-INF/logger.lcf</param-value>
</init-param>
</servlet>
<servlet>
<servlet-name>SecurityCheck</servlet-name>
<display-name>SecurityCheck</display-name>
<servlet-class>com.dc.gateway.servlet.SecurityCheck</servlet-class>
</servlet>
<servlet>
<servlet-name>Logoff</servlet-name>
<display-name>Logoff</display-name>
<servlet-class>com.dc.gateway.servlet.Logoff</servlet-class>
</servlet>
<servlet>
<servlet-name>Settings</servlet-name>
<display-name>Settings</display-name>
<servlet-class>com.dc.gateway.servlet.Settings</servlet-class>
</servlet>
<servlet>
<servlet-name>changepassword</servlet-name>
<display-name>changepassword</display-name>
<servlet-class>com.dc.gateway.servlet.changepassword</servlet-class>
</servlet>
<servlet>
<servlet-name>subdetailupdate</servlet-name>
<display-name>subdetailupdate</display-name>
<servlet-class>com.dc.gateway.servlet.subdetailupdate</servlet-class>
</servlet>
<servlet>
<servlet-name>subscriberdelete</servlet-name>
<display-name>subscriberdelete</display-name>
<servlet-class>com.dc.gateway.servlet.subscriberdelete</servlet-class>
</servlet>
<servlet>
<servlet-name>subscriberdetailedit</servlet-name>
<display-name>subscriberdetailedit</display-name>
<servlet-class>com.dc.gateway.servlet.subscriberdetailedit</servlet-class>
</servlet>
<servlet>
<servlet-name>subscriberedit</servlet-name>
<display-name>subscriberedit</display-name>
<servlet-class>com.dc.gateway.servlet.subscriberedit</servlet-class>
</servlet>
<servlet>
<servlet-name>subscribernew</servlet-name>
<display-name>subscribernew</display-name>
<servlet-class>com.dc.gateway.servlet.subscribernew</servlet-class>
</servlet>
<servlet>
<servlet-name>TrnlogPurge</servlet-name>
<display-name>TrnlogPurge</display-name>
<servlet-class>com.dc.gateway.servlet.TrnlogPurge</servlet-class>
</servlet>
<servlet>
<servlet-name>As400Pool</servlet-name>
<display-name>As400Pool</display-name>
<servlet-class>com.dc.gateway.servlet.As400Pool</servlet-class>
</servlet>
<servlet>
<servlet-name>Resubmit</servlet-name>
<display-name>Resubmit</display-name>
<servlet-class>com.dc.gateway.servlet.Resubmit</servlet-class>
</servlet>
<servlet>
<servlet-name>SearchPrepare</servlet-name>
<display-name>SearchPrepare</display-name>
<servlet-class>com.dc.gateway.servlet.SearchPrepare</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>GatewayClient</servlet-name>
<url-pattern>/GatewayClient</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>SecurityCheck</servlet-name>
<url-pattern>/SecurityCheck</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Logoff</servlet-name>
<url-pattern>/Logoff</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Settings</servlet-name>
<url-pattern>/Settings</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>changepassword</servlet-name>
<url-pattern>/changepassword</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>subdetailupdate</servlet-name>
<url-pattern>/subdetailupdate</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>subscriberdelete</servlet-name>
<url-pattern>/subscriberdelete</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>subscriberdetailedit</servlet-name>
<url-pattern>/subscriberdetailedit</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>subscriberedit</servlet-name>
<url-pattern>/subscriberedit</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>subscribernew</servlet-name>
<url-pattern>/subscribernew</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>TrnlogPurge</servlet-name>
<url-pattern>/TrnlogPurge</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>As400Pool</servlet-name>
<url-pattern>/As400Pool</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Resubmit</servlet-name>
<url-pattern>/Resubmit</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>SearchPrepare</servlet-name>
<url-pattern>/SearchPrepare</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>jsp/login.jsp</welcome-file>
</welcome-file-list>
<resource-ref id="ResourceRef_1084824065465">
<res-ref-name>jdbc/cg</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
<res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>
<env-entry>
<description>soft-coded datasource jndi name</description>
<env-entry-name>datasource-jndi-cms</env-entry-name>
<env-entry-value>jdbc/cg</env-entry-value>
<env-entry-type>java.lang.String</env-entry-type>
</env-entry>
<env-entry>
<description>soft-coded datasource jndi name</description>
<env-entry-name>datasource-jndi-erp</env-entry-name>
<env-entry-value>jdbc/erp</env-entry-value>
<env-entry-type>java.lang.String</env-entry-type>
</env-entry>
<security-constraint>
<display-name>gatewayRMIWEB</display-name>
<web-resource-collection>
<web-resource-name>allresources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
If you want to protect the whole application the following pattern should do the trick:
At least this works on mine 8.5.5
Did you restarted the server after enabling application security?