web.xml is part of your war file. Check your war file, for a WEB-INF/web.xml file, that's the file where you enforce security constraints. This is a servlet spec standardized configuration component.
Example<https://github.com/eclipse/jetty.project/blob/master/tests/test-webapps/test-jetty-webapp/src/main/webapp/WEB-INF/web.xml#L299-L307> : <security-constraint> <web-resource-collection> <web-resource-name>SSL</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> -- Joakim Erdfelt <[email protected]> webtide.com <http://www.webtide.com/> Developer advice, services and support from the Jetty & CometD experts eclipse.org/jetty - cometd.org On Thu, Jun 27, 2013 at 12:43 PM, Catatonic <[email protected]>wrote: > Yes, Jetty 4, from the dim and distant past. > > I saw stuff on the web about the security-constraint, but, as it happens, > there is no web.xml in my installation, unless it's buried in one of the > Jetty jar files. Here are all of the web.xml files I have in > web_app_home_folder]\utils\web\jetty\etc: > > admin.xml > demo.xml > demoSSO.xml > j2me.xml > jetty.xml > proxy.xml > stresstest.xml > watchdog.xml > webdefault.xml > > So maybe I should just create a web.xml in that folder and add the > security-constraint to it? > > > On Jun 27, 2013, at 2:16 PM, Thomas Becker <[email protected]> wrote: > > Add a security-constraint to your application's web.xml. That should even > work with jetty 4 (Jesus!). Google for the details. > > Am 27.06.2013 21:13 schrieb "Catatonic" <[email protected]>: > > > > Unfortunately, upgrading to a newer version of Jetty is not an option > for this deployment. Not at this time. > > > > I still believe that this sort of configuration is possible with Jetty > 4, but I just can't figure it out. > > > > > > On Jun 27, 2013, at 1:34 PM, Joakim Erdfelt <[email protected]> wrote: > > > > I'm confused, did you upgrade to Jetty 7, 8 or 9? > > Or are you still on Jetty 4? (a codebase that was retired in 2006) > > > > It will be tough finding anyone with experience in Jetty 4. > > We don't even have access to the source code or old binaries of Jetty 4 > anymore. > > > > > > -- > > Joakim Erdfelt <[email protected]> > > webtide.com > > Developer advice, services and support > > from the Jetty & CometD experts > > eclipse.org/jetty - cometd.org > > > > > > On Thu, Jun 27, 2013 at 11:30 AM, Catatonic <[email protected]> > wrote: > >> > >> I have a webapp built with a framework (Jacada) that uses Jetty 4 (yes, > it’s old) as the web server. It runs on Windows Server 2003. > >> > >> I have successfully enabled SSL support by setting up an SSL listener. > However, I have run into a security issue. A tester, after reaching the > site via the secure URL, changed the URL from https to http and was able to > continue working. That is, my configuration is allowing non-secured traffic > to travel over the SSL port. > >> > >> I would like to force my SSL listener to only allow secured traffic. > Here’s what I’ve tried: > >> > >> I added the following to > [web_app_home_folder]\utils\web\jetty\etc\jetty.xml: > >> > >> <Call name="addHandler"> > >> <Arg><New class="org.mortbay.http.handler.HTAccessHandler"> > >> <Set name="AccessFile">.htaccess</Set> > >> </New></Arg> > >> </Call> > >> > >> In [web_app_home_folder], I created a file named .htaccess that > contains the following: > >> > >> RewriteEngine On > >> RewriteCond %{HTTPS} !=on > >> RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] > >> > >> That did not have any effect. At this point I do not know if my changes > to jetty.xml and my .htaccess file are even being detected. > >> > >> Any ideas on what I might have missed? Is there a better way to get the > behavior I want? > >> > >> Thanks. > >> > >> > >> _______________________________________________ > >> jetty-users mailing list > >> [email protected] > >> https://dev.eclipse.org/mailman/listinfo/jetty-users > >> > > > > _______________________________________________ > > jetty-users mailing list > > [email protected] > > https://dev.eclipse.org/mailman/listinfo/jetty-users > > > > _______________________________________________ > > jetty-users mailing list > > [email protected] > > https://dev.eclipse.org/mailman/listinfo/jetty-users > > > _______________________________________________ > jetty-users mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/jetty-users > > _______________________________________________ > jetty-users mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/jetty-users > >
_______________________________________________ jetty-users mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/jetty-users
