Foren
Security constraint confidential for portal not working
manoj manoj, geändert vor 9 Jahren.
Security constraint confidential for portal not working
Junior Member Beiträge: 36 Beitrittsdatum: 12.04.12 Neueste Beiträge
Hi,
I am working on a project with Liferay 6.1 running on tomcat.
We have a requirement to not allow any http requests (only https).
So I checked my web.xml and I do have the following setting:
We do have the connectors correctly defined in service.xml
But when I give http://localhost:8080/portal , I expected it to redirect it to the https, but it is displaying the login page.
We have a few webservices that are exposed and we do not want them (in particular, and even other resources from /portal) to be accessed with http.
Does liferay override this settings anywhere or is it some problem with my web.xml configuration?
I am working on a project with Liferay 6.1 running on tomcat.
We have a requirement to not allow any http requests (only https).
So I checked my web.xml and I do have the following setting:
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/portal/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
We do have the connectors correctly defined in service.xml
But when I give http://localhost:8080/portal , I expected it to redirect it to the https, but it is displaying the login page.
We have a few webservices that are exposed and we do not want them (in particular, and even other resources from /portal) to be accessed with http.
Does liferay override this settings anywhere or is it some problem with my web.xml configuration?
David H Nebinger, geändert vor 9 Jahren.
RE: Security constraint confidential for portal not working
Liferay Legend Beiträge: 14919 Beitrittsdatum: 02.09.06 Neueste Beiträge
Tomcat should not be used for SSL. You're implementing it all in interpreted java, for pete's sake.
Instead you should use a fronting http server like apache httpd. Let it handle the redirection to https since it does it using native code.
Instead you should use a fronting http server like apache httpd. Let it handle the redirection to https since it does it using native code.
manoj manoj, geändert vor 9 Jahren.
RE: Security constraint confidential for portal not working
Junior Member Beiträge: 36 Beitrittsdatum: 12.04.12 Neueste Beiträge
Hi David,
We do have Webseal in front of liferay.
All access to it happens via webseal.
But the requirement was to disallow access to our portal if someone has the liferay server details.
Strangely, if I put <url-pattern>/*</url-pattern> in web.xml, it redirects to https port (but not for <url-pattern>/portal/*</url-pattern>)
I can not use this ( /* )since we need to allow access to other web apps.
We do have Webseal in front of liferay.
All access to it happens via webseal.
But the requirement was to disallow access to our portal if someone has the liferay server details.
Strangely, if I put <url-pattern>/*</url-pattern> in web.xml, it redirects to https port (but not for <url-pattern>/portal/*</url-pattern>)
I can not use this ( /* )since we need to allow access to other web apps.
David H Nebinger, geändert vor 9 Jahren.
RE: Security constraint confidential for portal not working
Liferay Legend Beiträge: 14919 Beitrittsdatum: 02.09.06 Neueste Beiträge
That is solved with a firewall rule. Block incoming traffic that does not originate from webseal.