GWT SSL + Jetty + Same origin policy = confusion

1
votes

I am using GWT and want to enable SSL on one html page(module). I have multiple modules and one such module is secured with following configuration in my web.xml

<security-constraint>
  <web-resource-collection>
    <web-resource-name></web-resource-name>
    <url-pattern>/Secure.html</url-pattern>
    <http-method>GET</http-method>
  </web-resource-collection>
  <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

I have another module (a login page), from which I call Secure.html to pass users' login information over SSL. I have following questions:

  1. Am I violating same origin policy by calling Secure.html module from http (the non secured login page)?
  2. How do I add a connector for SSL in the embedded jetty? I am using GWT eclipse plugin. I hate it though. When I try to access the secured Secure.html page, I get 403 - forbidden in dev mode. I don't want to use SSL for all my modules (-server :ssl). But if I deploy the app on an external server tomcat, it works fine.
  3. Am I doing it right? Must be better approach than this?
1
gwtsame-origin-policyembedded-jetty

1 Answers

1
votes

1) You're definitely violating same-origin policy by changing the protocol.

2) You don't need to have the connector for the embedded Jetty...what you see there is (and should be) identical to what you'd see over HTTPS. SSL is a matter of putting your content behind a secure server. IMO this is a production concern, not a development concern.