14

I have set up Jetty 9.3 with two XML context configurations. One for static content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure class="org.eclipse.jetty.server.handler.ContextHandler">
  <Set name="contextPath">/static</Set>
  <Set name="handler">
    <New class="org.eclipse.jetty.server.handler.ResourceHandler">
      <Set name="resourceBase">/home/user/static</Set>
      <Set name="directoriesListed">true</Set>
    </New>
  </Set>
</Configure>

and one for a web application (WAR file):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
  <Set name="contextPath">/webapp</Set>
  <Set name="war">/home/user/webapp.war</Set>
</Configure>

I then used this answer to set up Jetty to forward HTTP requests to HTTPS. More specifically, I added the following to jetty/etc/webdefault.xml:

<security-constraint>
  <web-resource-collection>
   <web-resource-name>Everything</web-resource-name>
   <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

and added the following to my HttpConfiguration in jetty/etc/jetty.xml:

<Call name="addCustomizer">
  <Arg>
    <New class="org.eclipse.jetty.server.SecureRequestCustomizer" />
  </Arg>
</Call>

This works perfectly for my web application (i.e. accessing the server through HTTP at '/webapp' will redirect to HTTPS), but doesn't seem to affect the static content served under '/static'. I assume this is because the setting added to webdefault.xml only applies to web applications since they have an applicable web.xml file.

How can I set up HTTP requests to redirect to HTTPS for all my pages served as static content?

Silveri
  • 4,836
  • 3
  • 35
  • 44
  • What about `RewriteHandler` ? Maybe it will help you to solve your problem. Just serve static content by this handler. – Hrabosch Oct 05 '16 at 12:18
  • 1
    You can use `nginx` for this, along with the `http` to `https` redirect you will get other advantages like static page cache. – Srinivasu Oct 10 '16 at 09:21
  • Have you tried to use the default servlet + ServletContextHandler for your static content instead of ResourceHandler (which is very limited)? Maybe it would help. @srini In my humble opinion, using another HTTPD server (Apache, Nginx, ...) just for the redirections is a bit too much especially when your server has very limited resources. I use a small board with only one GB of RAM, I wouldn't follow your suggestion. – gouessej Dec 20 '16 at 09:30
  • Related browser-side solution: [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security). It will tell browsers to _always_ access resources on your domain through `HTTPS`. – alper Dec 06 '17 at 15:42

1 Answers1

1

As far as I could tell (e.g., based on this SO and this SF and the Jetty Docs) it's not configurable for static content, only for webapps.

What you could do (that does not mean that you should do it this way) is that you create a custom @PreMatching filter if you are using JAX-RS or a custom MessageHandler if you are using JAX-WS which does the redirection programatically (e.g., through returning an HTTP 301).

Community
  • 1
  • 1
D. Kovács
  • 1,232
  • 13
  • 25