jettyservlet-3.0maven-jetty-plugin

Override security constraint in Jetty 9


We are forcing redirect from http to https using security constraint policy set to CONFIDENTIAL. Although in local development we want to remove the constraint. With Jetty 7 we were using override-web.xml that was reassigning transport security from CONFIDENTIAL to NONE. Now after we migrated to Jetty 9 it suddenly stopped doing so. I suspect that now with Jetty 9 instead of overriding transport security it adds constraint to the list.

How to override security constraint from CONFIDENTIAL to NONE in local environment?

This is the part that is coming from web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Some server</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

In local development we are running jetty with jetty-maven-plugin and specifying override-web.xml. This is the part that is coming from override-web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Some server</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Jetty version before: 7.6.10.v20130312
Jetty version after: 9.2.18.v20160721


Solution

  • This functionality should be working in Jetty 9 as in Jetty 7.

    You can find the WebApp configuration instructions from here

    They've changed the tags a bit in Jetty 9 so be extra careful when reading the configuration. You should have something like this in your pom.xml:

    <configuration>
    <webApp>
    <overrideDescriptor>{path_to_your_override_xml}</overrideDescriptor>
    </webApp>
    </configuration>
    

    For example, the tag

    <webApp> </webApp>
    

    was earlier

    <webAppConfig> </webAppConfig>
    

    Follow the Jetty startup log and verify that your overrides are applied:

    [INFO] Web overrides = {path_to_your_override_xml}