We are using JRUN 3.1 & IIS 5.0, on both a WindowsNT and Windows2000
OS. We have been searching for information on how to ensure that
certain JRun web application pages will be displayed ONLY if accessed
via https.
We can set "Require SSL" for the entire IIS 5.0 web server & hence
all the applications/directories/files under the root of the web
server. This does work, but means all pages in all web applications
on that server would require SSL, and that may not be the case, e.g.
we may want to have some pages and JRUN web applications using just
plain http.
If we try to set individual files underneath the web server to
require SLL e.g. by right clicking on web app root directory on the
IIS management console and checking "Require SSL Channel" checkbox,
we can still access the JRUN application using http. By contrast, if
we have a file in same directory checked "Require SSL Channel" and type its directory path into browser, not as a JRUN Web application url, then that file
IS accessible only by using https. This is the behavior we require
when invoking JRUN web applications, which is not working. If we
access same file by typing in url of JRun web application (instead of
directory path), then we can access the file using http - not good!
e.g. if file named myPage.html exists in web app's root directory,
which is named PROTECTED, and PROTECTED is set to require SSL then:
-- call page insecurely via directory path:
http://myserver.com/PROTECTED/myPage.html --> access denied - Correct !
--BUT if the same page is called insecurely using url mapped to the web
application (/myWebApp)
http://myserver.com/myWebApp/myPage.html --> page displays - BAD!
Somehow, when a file/resource is invoked from a JRUN Web Application,
the IIS settings seem to be ignored & the "Require SSL Channel" for
that directory is bypassed.
The option of making the entire web server (and hence all the JRUN
web applictaions under it) as "Require SSL Channel" is not an option
since it enforces even those applications that do not require
security, to be accessed only through https.
Does anyone know why the directory/file SSL requirements on a JRun
Web application are ignored and/or if there is a workaround for this?
Thank you in advance, to the supportive Java community out there.
-Mary
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
