Run some applications as HTTP, others as HTTPS

Technical Discussion
1

Hi,

We are currently running Payara 5 with Apache on the front, in order to supply HTTPS authentication for the applications running on the server. I’ve been tasked with looking into whether or not it’s possible to ditch Apache, yet still keep the HTTPS compatibility.

Right now, our Apache process primary does two things: supply HTTPS via a certificate (which I believe Payara can do); and force traffic (based on a vhosts rule) to either require a client certificate, switch to loading the application with HTTPS if it’s not already using that, or switch to loading the application with HTTP if it’s not already using that. Which of the latter two of these to do is detected based on the string in the URL: i.e. if it’s a given application, force one of HTTP or HTTPS.

Is this possible to do with vanilla Payara 5? I’ve looked on the individual application pages and can’t see any immediately obvious option along the lines of “force this application to use HTTPS” or the like. Is this a thing that might exist in Payara 6 (we’re some way off being able to move to that)? And can Payara use client certificates for specific applications as well (that I would specifiy the CN etc for it to look for)?

Thanks

2

you can enforce https per application or even per a resource in application web.xml config file using <transport-guarantee> element e.g. like this:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
         version="4.0">

    <distributable />
    
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>app</web-resource-name>
            <url-pattern>/index.html</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>user</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>    
...