Foros de discusión
Security constraint confidential for portal not working
manoj manoj, modificado hace 9 años.
Security constraint confidential for portal not working
Junior Member Mensajes: 36 Fecha de incorporación: 12/04/12 Mensajes recientes
Hi,
I am working on a project with Liferay 6.1 running on tomcat.
We have a requirement to not allow any http requests (only https).
So I checked my web.xml and I do have the following setting:
We do have the connectors correctly defined in service.xml
But when I give http://localhost:8080/portal , I expected it to redirect it to the https, but it is displaying the login page.
We have a few webservices that are exposed and we do not want them (in particular, and even other resources from /portal) to be accessed with http.
Does liferay override this settings anywhere or is it some problem with my web.xml configuration?
I am working on a project with Liferay 6.1 running on tomcat.
We have a requirement to not allow any http requests (only https).
So I checked my web.xml and I do have the following setting:
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/portal/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
We do have the connectors correctly defined in service.xml
But when I give http://localhost:8080/portal , I expected it to redirect it to the https, but it is displaying the login page.
We have a few webservices that are exposed and we do not want them (in particular, and even other resources from /portal) to be accessed with http.
Does liferay override this settings anywhere or is it some problem with my web.xml configuration?
David H Nebinger, modificado hace 9 años.
RE: Security constraint confidential for portal not working
Liferay Legend Mensajes: 14918 Fecha de incorporación: 2/09/06 Mensajes recientes
Tomcat should not be used for SSL. You're implementing it all in interpreted java, for pete's sake.
Instead you should use a fronting http server like apache httpd. Let it handle the redirection to https since it does it using native code.
Instead you should use a fronting http server like apache httpd. Let it handle the redirection to https since it does it using native code.
manoj manoj, modificado hace 9 años.
RE: Security constraint confidential for portal not working
Junior Member Mensajes: 36 Fecha de incorporación: 12/04/12 Mensajes recientes
Hi David,
We do have Webseal in front of liferay.
All access to it happens via webseal.
But the requirement was to disallow access to our portal if someone has the liferay server details.
Strangely, if I put <url-pattern>/*</url-pattern> in web.xml, it redirects to https port (but not for <url-pattern>/portal/*</url-pattern>)
I can not use this ( /* )since we need to allow access to other web apps.
We do have Webseal in front of liferay.
All access to it happens via webseal.
But the requirement was to disallow access to our portal if someone has the liferay server details.
Strangely, if I put <url-pattern>/*</url-pattern> in web.xml, it redirects to https port (but not for <url-pattern>/portal/*</url-pattern>)
I can not use this ( /* )since we need to allow access to other web apps.
David H Nebinger, modificado hace 9 años.
RE: Security constraint confidential for portal not working
Liferay Legend Mensajes: 14918 Fecha de incorporación: 2/09/06 Mensajes recientes
That is solved with a firewall rule. Block incoming traffic that does not originate from webseal.