-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gerhard,
On 3/24/2011 1:49 PM, Gaugusch, Gerhard wrote: > is there a way to configure tomcat 6 to use basic authentication only > on https connectors? I know that it is possible to define in each > deployed application via web.xml to allow only https connections. > What I am searching for is a way to prevent all deployed applications > to use basic authentication without https. But i dont want to touch > each application itself. So, you want to do one of the following: 1. Always use HTTPS 2. Require requests with BASIC authentication headers to always use HTTPS If your requirement is the first listed above, you could simply not define a non-HTTPS connector, or configure conf/web.xml (that's the site-wide deployment descriptor) with a <security-constraint> that specifies "/*" as the url-pattern and CONFIDENTIAL as the <transport-guarantee>. If you want the second, and you want to do it site-wide without touching any of the web apps, I think you'll have to write a Valve (or a Filter if you're using Tomcat 7) and install it in conf/context.xml. This Filter (or Valve) would inspect the request and perform a redirect if it sees HTTP + BASIC Auth headers. You should probably also look for (non-secure) HTTP responses that send a 401 status code and change those to a 30x response to avoid clients sending BASIC authentication information in the first place. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2LlY0ACgkQ9CaO5/Lv0PADAACgkT0izfGsAGrD6wwkX9VvHPON cVkAn3KR4PGDgQzOz2e6oEVjFMwZQ6Kl =ykUg -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
