I am using GlassFish Server 4.1 / Java EE 7. In my web.xml file, I mentioned the following security restrictions.
<security-constraint> <display-name>UserConstraint</display-name> <web-resource-collection> <web-resource-name>Provide a Name</web-resource-name> <description/> <url-pattern>/admin_side/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <description/> <role-name>ROLE_ADMIN</role-name> </auth-constraint> <user-data-constraint> <description/> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
And the same goes for other authorities.
Since transport-guarantee set to CONFIDENTIAL , web pages matching the specified URL /admin_side/* pattern go through a secure channel ( HTTPS ).
When using WebSockets as follows (JavaScript),
var ws = new WebSocket("ws://localhost:8181/Context/Push");
he cannot establish an initial handshake. The following warning is displayed in the browser in the browser console.
[blocked] The page at 'https://localhost:8181/Context/admin_side/Category' was loaded over HTTPS, but ran insecure content from 'ws://localhost:8080/Context/Push': this content should also be loaded over HTTPS. Uncaught SecurityError: Failed to construct 'WebSocket': An insecure WebSocket connection may not be initiated from a page loaded over HTTPS.
When the <user-data-constraint> section of web.xml is completely removed, the webpages run on HTTP . After that, changing
var ws = new WebSocket("ws://localhost:8181/Context/Push");
to
var ws = new WebSocket("ws://localhost:8080/Context/Push");
works great.
What can be done to make WebSockets work on a secure channel?
source share