I have a webapp built with a framework (Jacada) that uses Jetty 4 (yes, it’s
old) as the web server. It runs on Windows Server 2003.
I have successfully enabled SSL support by setting up an SSL listener. However,
I have run into a security issue. A tester, after reaching the site via the
secure URL, changed the URL from https to http and was able to continue
working. That is, my configuration is allowing non-secured traffic to travel
over the SSL port.
I would like to force my SSL listener to only allow secured traffic. Here’s
what I’ve tried:
I added the following to [web_app_home_folder]\utils\web\jetty\etc\jetty.xml:
<Call name="addHandler">
<Arg><New class="org.mortbay.http.handler.HTAccessHandler">
<Set name="AccessFile">.htaccess</Set>
</New></Arg>
</Call>
In [web_app_home_folder], I created a file named .htaccess that contains the
following:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
That did not have any effect. At this point I do not know if my changes to
jetty.xml and my .htaccess file are even being detected.
Any ideas on what I might have missed? Is there a better way to get the
behavior I want?
Thanks.
_______________________________________________
jetty-users mailing list
[email protected]
https://dev.eclipse.org/mailman/listinfo/jetty-users
