I hope this helps.
I manage this by making sure that all URLs used in the web app are absolute
(of course they can be absolute and still be dynamic). and include the
appropriate protocol. This of course includes form actions. Then I can
enforce that certain portions of the web app are only accessible via HTTPS
by including the something like this in my web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>your-resource</web-resource-name>
<description>your-desc</description>
<url-pattern>/root/page.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>your-desc</description>
<role-name>user-or-whatever</role-name>
</auth-constraint>
<user-data-constraint>
<description>your-desc</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Now the server enforces that the url indicated by the security constraint
can only be delivered by HTTPS.
BW
Russ
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Matt Krevs
Sent: Tuesday, March 20, 2001 12:12 AM
To: Orion-Interest
Subject: RE: Sharing sessions between sites
Hi all - just worked this one out I think
The shared attribute i think allows 2 web apps THAT HAVE THE SAME NAME to
share sessions
As soon as I specified
<default-web-app application="sectest" name="sectest-web" shared="true"/>
as the default web app in both web-site.xml files then session sharing
started to work
I can now run a https and http version of my web app at the same time and
have sessions shared between the 2 web apps
The only thing I have to work out now is how to elegantly intercept
requests, work out whether they should be using https or http, and then
redirect them to use the correct protocol
I thought that maybe servlet filtering would be a good way of doing this?
eg any url that contains "/secure" in it could be redirected to https, while
all others would use plain old http.
Has anyone done this before? Anyone have any good examples/ideas?
Thanks
Matt
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Matt Krevs
Sent: Tuesday, 20 March 2001 1:23 PM
To: Orion-Interest
Subject: Sharing sessions between sites
I am having a few problems sharing sessions between a secure and a
non-secure web site
Having read various posts to the forum I thought that adding shared="true"
to the default-web-app element in each web-site.xml would do the trick. Not
for me. Each web site is creating its own session when it is hit for the
first time (within the same browser window)
So...
I have 2 web apps.
They both use the same application (as specified in server.xml).
Each web app has its own web-site.xml
One of the web apps is secured ie SSL.
web-site.xml for the non-secure site is as follows
--------------------------------------------------
<?xml version="1.0"?>
<!DOCTYPE web-site PUBLIC "Orion Web-site"
"http://www.orionserver.com/dtds/web-site.dtd">
<web-site host="[ALL]" port="80" display-name="SecTest site">
<default-web-app application="sectest" name="sectest-web" shared="true"
load-on-startup="true"/>
<access-log path="log/default-web-access.log" />
</web-site>
web-site.xml for the secure site is as follows
----------------------------------------------
<?xml version="1.0"?>
<!DOCTYPE web-site PUBLIC "Orion Web-site"
"http://www.orionserver.com/dtds/web-site.dtd">
<web-site host="[ALL]" secure="true" display-name="SecTest secure site">
<default-web-app application="sectest" name="sectestsecure-web"
shared="true" load-on-startup="true"/>
<ssl-config keystore="keystore" keystore-password="123456" />
<access-log path="log/default-web-access.log" />
</web-site>
Can anyone see what I'm doing wrong? I assume what I'm trying to do is
possible.
Thanks
Matt
