Foros de discusión

  1. Inicio
  2. Portal
  3. Security constraint confidential for portal not working

Security constraint confidential for portal not working

thumbnail
manoj manoj, modificado hace 9 años.

Security constraint confidential for portal not working

Junior Member Mensajes: 36 Fecha de incorporación: 12/04/12 Mensajes recientes
Hi,
I am working on a project with Liferay 6.1 running on tomcat.
We have a requirement to not allow any http requests (only https).
So I checked my web.xml and I do have the following setting:
<security-constraint>
    <web-resource-collection>
        <web-resource-name>securedapp</web-resource-name>
        <url-pattern>/portal/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

We do have the connectors correctly defined in service.xml
But when I give http://localhost:8080/portal , I expected it to redirect it to the https, but it is displaying the login page.
We have a few webservices that are exposed and we do not want them (in particular, and even other resources from /portal) to be accessed with http.

Does liferay override this settings anywhere or is it some problem with my web.xml configuration?
thumbnail
David H Nebinger, modificado hace 9 años.

RE: Security constraint confidential for portal not working

Liferay Legend Mensajes: 14918 Fecha de incorporación: 2/09/06 Mensajes recientes
Tomcat should not be used for SSL. You're implementing it all in interpreted java, for pete's sake.

Instead you should use a fronting http server like apache httpd. Let it handle the redirection to https since it does it using native code.
thumbnail
manoj manoj, modificado hace 9 años.

RE: Security constraint confidential for portal not working

Junior Member Mensajes: 36 Fecha de incorporación: 12/04/12 Mensajes recientes
Hi David,
We do have Webseal in front of liferay.
All access to it happens via webseal.
But the requirement was to disallow access to our portal if someone has the liferay server details.

Strangely, if I put <url-pattern>/*</url-pattern> in web.xml, it redirects to https port (but not for <url-pattern>/portal/*</url-pattern>)
I can not use this ( /* )since we need to allow access to other web apps.
thumbnail
David H Nebinger, modificado hace 9 años.

RE: Security constraint confidential for portal not working

Liferay Legend Mensajes: 14918 Fecha de incorporación: 2/09/06 Mensajes recientes
That is solved with a firewall rule. Block incoming traffic that does not originate from webseal.