I am going to post a more detailed answer later. Here is the shorter version ...

<user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint>

will NOT work with Cloud Foundry since this forces the transport to be https to the app instance. SSL is terminated at the Proxy tier (DataPower/HAProxy) in Cloud Foundry deployments.

To overcome this limitation your app will need to be slightly re-architected using some of the techniques illustrated here

1. http://creechy.wordpress.com/2011/08/22/ssl-termination-load-balancers-java/
2. http://www.javaworld.com/article/2074039/java-web-development/mix-protocols-transparently-in-web-applications.html
3. http://download.springer.com/static/pdf/400/bbm%253A978-1-4302-4156-0%252F1.pdf?auth66=1396416011_7c0fd23f3a17e494b25d1ee75da20e4a&ext=.pdf

Hope this helps. Rohit

It seems that using "plain" Websphere Liberty security constraints defined in your application's web.xml file is now working fine both locally and when deployed to Bluemix.

I just tried it, and http traffic on my deployed app is indeed redirected to https.

To sum things up, your server.xml file should looks like (SSL and application security feature enabled, keystore and certifacate defined):

<server description="Websphere Liberty">
<featureManager>
<!-- ... -->
<feature>ssl-1.0</feature>
<feature>appSecurity-2.0</feature>
<!-- ... -->
</featureManager>
<!-- ... -->
<httpEndpoint id="defaultHttpEndpoint" host="localhost" httpPort="9080" httpsPort="9443" />
<keyStore id="defaultKeyStore" password="{xor}xxxxxxxxx="/>
</server>

And in my case my application web.xml file looks as follows:

   <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>Blah blah blah</display-name>
<security-constraint>
<display-name>HTTPS Redirect Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>myapp</web-resource-name>
<description>HTTPS redirect</description>
<url-pattern>/foo</url-pattern>
<url-pattern>/bar</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>

Holger,

Before answering this we need more information about your security configuration. What does your existing server.xml security configuration look like ?

-cheers, Rohit

Rohit -- I am in the same boat. This works well on a local, but when I push to BlueMix I get "Error 403: Resource must be accessed with a secure connection try again using an HTTPS connection." in the browser. I understand Bluemix is front ended by Datapower and the header is suppose to be replaced, but not sure if I did everything correctly.

My server.xml file: <server description="new server">

<!-- Enable features --> <featureManager> <feature>jsp-2.2</feature> <feature>appSecurity-1.0</feature> <feature>localConnector-1.0</feature> <feature>ssl-1.0</feature> </featureManager>

<httpEndpoint host="localhost" httpPort="9080" httpsPort="9443" id="defaultHttpEndpoint"/>

<applicationMonitor updateTrigger="mbean"/>

<webApplication id="BluemixWeb" location="BluemixWeb.war" name="BluemixWeb"> <application-bnd> <security-role name="all"> <special-subject type="ALL_AUTHENTICATED_USERS"></special-subject> </security-role> </application-bnd> </webApplication> <basicRegistry> <user password="tompassword" name="tom"></user> </basicRegistry> <keyStore password="mysecret"></keyStore>

</server>

My webApp code index.jsp

<%@page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <html> <head> <title>Who Am I?></title> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> </head> <body> You are <%=request.getUserPrincipal().getName() %> </body> </html>

My web.xml file

<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemalocation="http://java.sun.com/xml/ns/javaee &lt;a href=" http:="" java.sun.com="" xml="" ns="" javaee="" web-app_3_0.xsd""="">http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> <display-name>BluemixWeb</display-name> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> <security-role> <role-name>all</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name/> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>all</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> </web-app>

URL: http://samplesecureapp.ng.bluemix.net/BluemixWeb

StdErr.log:

[ERROR ] CWWKS9113E: The SSL port is not active. The incoming http request cannot be redirected to a secure port. Check the server.xml file for configuration errors. The https port may be disabled. The keyStore element may be missing or incorrectly specified. The SSL feature may not be enabled. [ERROR ] CWWKS9113E: The SSL port is not active. The incoming http request cannot be redirected to a secure port. Check the server.xml file for configuration errors. The https port may be disabled. The keyStore element may be missing or incorrectly specified. The SSL feature may not be enabled. [ERROR ] CWWKS9113E: The SSL port is not active. The incoming http request cannot be redirected to a secure port. Check the server.xml file for configuration errors. The https port may be disabled. The keyStore element may be missing or incorrectly specified. The SSL feature may not be enabled.