After a dotCMS instance is configured to run SSL, you may configure the dotCMS web.xml file (/dotserver/tomcat-X.x.xx/webapps/ROOT/WEB-INF/web.xml) to require SSL for all operations which require authentication on the dotCMS back-end (including logins, API access, etc.).
Minimum Security Requirements
It is recommended that, at a minimum, you require SSL for access to all back-end logins, all REST API calls, WebDAV access, and all access to the /html and /dwr URL branches. To require SSL for all of these areas, add all of the following <security-constraint> sections to your web.xml file.
Note: It is strongly recommended that all changes to the dotCMS configuration files be made via a Root Plugin.
<security-constraint>
<web-resource-collection>
<web-resource-name>Portal</web-resource-name>
<description>Secure the dotCMS back-end</description>
<url-pattern>/html/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Portal Admin Login</web-resource-name>
<description>Secure the dotCMS back-end</description>
<url-pattern>/dotAdmin/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>API Calls</web-resource-name>
<description>Secure the dotCMS back-end</description>
<url-pattern>/api/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Portal Login</web-resource-name>
<description>Secure the dotCMS back-end</description>
<url-pattern>/dwr/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>WebDAV File Access</web-resource-name>
<description>Secure the dotCMS back-end</description>
<url-pattern>/webdav/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Requiring SSL for All Site Access
As a best practice, you may wish to require SSL for ALL access to the dotCMS site, especially for internal sites or authoring environments. To do this, you may use the following global definition for the web.xml file:
<security-constraint>
<web-resource-collection>
<web-resource-name>Require SSL for All Site Access</web-resource-name>
<description>Secure the entire dotCMS site</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
