Re: Require a secure connection
According to http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security5.html another way would be to specify it in web.xml. ... If you specify CONFIDENTIAL or INTEGRAL as a security constraint, that type of security constraint applies to all requests that match the URL patterns in the Web resource collection, not just to the login dialog. Specify CONFIDENTIAL when the application requires that data be transmitted so as to prevent other entities from observing the contents of the transmission. Specify INTEGRAL when the application requires that the data be sent between client and server in such a way that it cannot be changed in transit. The following example code from a web.xml file shows this setting in context: !-- SECURITY CONSTRAINT -- security-constraint web-resource-collection web-resource-nameWRCollection/web-resource-name url-pattern/index.jsp/url-pattern http-methodGET/http-method /web-resource-collection auth-constraint role-nameuser/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint Shawn On Fri, 2003-01-17 at 07:09, neal wrote: Does anyone know how to *require* that a page be accessed only via a secure connection? For instance, I *can* request a secure connection to a page by going to https://; and the url ... but how do I prevent a user from going to http://; to request that same page? Would this be a proxy thing or is something I can set in Tomcat? Is there something that wouldn't require the overhead of reflecting upon every single request at the Java level? Thanks. neal -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- shawn [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Require a secure connection
Hi Neal, security-constraint display-nameWeb Booking/display-name web-resource-collection web-resource-nameWeb Booking /web-resource-name url-pattern/web/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guarantee CONFIDENTIAL /transport-guarantee /user-data-constraint /security-constraint Will do what you want. This will switch the transport to HTTPS. You can also check programatically using request.isSecure() in the servlet to make sure the administrator has installed your application and SSL correctly. neal wrote: Does anyone know how to *require* that a page be accessed only via a secure connection? For instance, I *can* request a secure connection to a page by going to https://; and the url ... but how do I prevent a user from going to http://; to request that same page? Would this be a proxy thing or is something I can set in Tomcat? Is there something that wouldn't require the overhead of reflecting upon every single request at the Java level? Thanks. neal -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Require a secure connection
This should be it ... http://marc.theaimsgroup.com/?l=tomcat-userm=99616711404780w=2 -Tim neal wrote: Does anyone know how to *require* that a page be accessed only via a secure connection? For instance, I *can* request a secure connection to a page by going to https://; and the url ... but how do I prevent a user from going to http://; to request that same page? Would this be a proxy thing or is something I can set in Tomcat? Is there something that wouldn't require the overhead of reflecting upon every single request at the Java level? Thanks. neal -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Require a secure connection
There's also a transport-guarantee element for web.xml that's supposed to be handy for doing this declaratively. Mike. - Original Message - From: Andy Eastham [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, January 16, 2003 10:29 PM Subject: RE: Require a secure connection try: if (!request.isSecure()) { // abort code here } You can put this in a superclass of all your secure servlets if you like. Andy -Original Message- From: neal [mailto:[EMAIL PROTECTED]] Sent: 16 January 2003 22:09 To: Tomcat Users List Subject: Require a secure connection Does anyone know how to *require* that a page be accessed only via a secure connection? For instance, I *can* request a secure connection to a page by going to https://; and the url ... but how do I prevent a user from going to http://; to request that same page? Would this be a proxy thing or is something I can set in Tomcat? Is there something that wouldn't require the overhead of reflecting upon every single request at the Java level? Thanks. neal -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Require a secure connection
On Thu, 16 Jan 2003, neal wrote: Does anyone know how to *require* that a page be accessed only via a secure connection? For instance, I *can* request a secure connection to a page by going to https://; and the url ... but how do I prevent a user from going to http://; to request that same page? Would this be a proxy thing or is something I can set in Tomcat? Is there something that wouldn't require the overhead of reflecting upon every single request at the Java level? Thanks. neal I think if you're using Tomcat standalone, the security-constraint technique that others have mentioned is the way to go. But if you're using Tomcat behind Apache, you should be able to control this by controlling what resources are available to each instance of the server (with http being one instance and https being another). For example, you can set them up as separate virtual hosts, and then control what resources are accessible within each virtual host. Works for us. Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Require a secure connection
try: if (!request.isSecure()) { // abort code here } You can put this in a superclass of all your secure servlets if you like. Andy -Original Message- From: neal [mailto:[EMAIL PROTECTED]] Sent: 16 January 2003 22:09 To: Tomcat Users List Subject: Require a secure connection Does anyone know how to *require* that a page be accessed only via a secure connection? For instance, I *can* request a secure connection to a page by going to https://; and the url ... but how do I prevent a user from going to http://; to request that same page? Would this be a proxy thing or is something I can set in Tomcat? Is there something that wouldn't require the overhead of reflecting upon every single request at the Java level? Thanks. neal -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]