The standard servlet container way of doing it is to modify the web.xml to
force HTTPS for certain URLs.
Check the servlet spec for more detail, but you can edit the web.xml of Axis
(when deployed in tomcat) and add something like that:
<security-constraint>
<web-resource-collection>
<web-resource-name>Axis SecondService</web-resource-name>
<description>Authentication required for Axis
SecondService</description>
<url-pattern>/services/SecondService/*</url-pattern>
<!-- No specific http-method specified, means that security applies
to-->
<!-- all methods (GET, POST, ...) -->
</web-resource-collection>
<!-- Encryptions (SSL) requirements for SecondService-->
<user-data-constraint>
<!-- NONE for no encryption required, CONFIDENTIAL for encryption
required -->
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This make HTTPS required for the Axis service called SecondService (as
defined by the url-pattern).
Thomas
-----Original Message-----
From: Sanjesh Pathak [mailto:[EMAIL PROTECTED]
Sent: Friday, October 10, 2003 3:35 PM
To: [EMAIL PROTECTED]
Subject: RE: Restrict access to SSL clients for a service
Parley,
Take this handler (see attached) and put it in the request flow of your
service. This handler will only allow requests from a secure channel (SSL).
Sanjesh
-----Original Message-----
From: PARLEY,THUNDER (HP-MountainView,ex1) [mailto:[EMAIL PROTECTED]
Sent: Friday, October 10, 2003 9:34 AM
To: '[EMAIL PROTECTED]'
Subject: Restrict access to SSL clients for a service
Hi List,
If I have Axis running on Tomcat, which has 2 liistening ports (unsecure and
SSL), when I deploy a new service, can I deploy it so that the service will
only acknowledge requests over a SSL connection or is there some snippet of
code I can put in the service itself to check that the requestor is
accessing the service securely? Disabling the unsecure port on Tomcat is not
an option.
Thanks!
Thunder
