Fórum

  1. Início
  2. Portal
  3. Security constraint confidential for portal not working

Security constraint confidential for portal not working

thumbnail
manoj manoj, modificado 9 Anos atrás.

Security constraint confidential for portal not working

Junior Member Postagens: 36 Data de Entrada: 12/04/12 Postagens Recentes
Hi,
I am working on a project with Liferay 6.1 running on tomcat.
We have a requirement to not allow any http requests (only https).
So I checked my web.xml and I do have the following setting:
<security-constraint>
    <web-resource-collection>
        <web-resource-name>securedapp</web-resource-name>
        <url-pattern>/portal/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

We do have the connectors correctly defined in service.xml
But when I give http://localhost:8080/portal , I expected it to redirect it to the https, but it is displaying the login page.
We have a few webservices that are exposed and we do not want them (in particular, and even other resources from /portal) to be accessed with http.

Does liferay override this settings anywhere or is it some problem with my web.xml configuration?
thumbnail
David H Nebinger, modificado 9 Anos atrás.

RE: Security constraint confidential for portal not working

Liferay Legend Postagens: 14917 Data de Entrada: 02/09/06 Postagens Recentes
Tomcat should not be used for SSL. You're implementing it all in interpreted java, for pete's sake.

Instead you should use a fronting http server like apache httpd. Let it handle the redirection to https since it does it using native code.
thumbnail
manoj manoj, modificado 9 Anos atrás.

RE: Security constraint confidential for portal not working

Junior Member Postagens: 36 Data de Entrada: 12/04/12 Postagens Recentes
Hi David,
We do have Webseal in front of liferay.
All access to it happens via webseal.
But the requirement was to disallow access to our portal if someone has the liferay server details.

Strangely, if I put <url-pattern>/*</url-pattern> in web.xml, it redirects to https port (but not for <url-pattern>/portal/*</url-pattern>)
I can not use this ( /* )since we need to allow access to other web apps.
thumbnail
David H Nebinger, modificado 9 Anos atrás.

RE: Security constraint confidential for portal not working

Liferay Legend Postagens: 14917 Data de Entrada: 02/09/06 Postagens Recentes
That is solved with a firewall rule. Block incoming traffic that does not originate from webseal.