Yes, Tomcat's handling of the <security-constraint> is very complementary to the use of sslext. Unfortunately, unless this has changed recently, not all containers behave in this way.
Weblogic, for instance, just creates a response that outputs a message to the browser stating that a particular URL is available only by HTTPS. (Maybe this has changed in 8.1, I'll check it out.) Tomcat definitely has the superior implementation on this issue. Steve ----- Original Message ----- From: "Craig R. McClanahan" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Cc: "Stephane Grenier" <[EMAIL PROTECTED]> Sent: Monday, September 15, 2003 10:37 AM Subject: Re: sslext can only get it to post > On Sun, 14 Sep 2003, Max Cooper wrote: > > > Some design changes are needed to make the switch to the https port in > > what I consider to be an acceptable manner. > > One avenue to explore is using one particular capability of container > managed security, and declare a security constraint requiring SSL on a > particular request. Something like this: > > <security-constraint> > <web-resource-collection> > <web-resource-name>Checkout Section</web-resource-name> > <description> > The set of URL patterns for requests that must be submitted > via SSL. In order to avoid sending confidential data unencrypted, > these patterns MUST include the page that renders the form to > be submitted that contains that confidential data. > </description> > <!-- URL pattern for the form containing the credit card number --> > <url-pattern>/checkout_form.jsp</url-pattern> > <!-- URL pattern for the "buy it" submit button --> > <url-pattern>/buy.do</url-pattern> > </web-resource-collection> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > If you do this, the container will switch to HTTPS for you before the > checkout form is rendered. Hence, the ultimate submit of that form will > be done over SSL. It's up to the container to figure out what the correct > SSL port number is (in Tomcat, you configure this with the "redirectPort" > attribute on a <Connector> element; the default configuration for non-SSL > on port 8080 redirects to SSL on port 8443). > > Note that, because there is no <auth-constraint> here, this particular > security constraint does not require you to use container managed security > for authentication -- it's only being used to do the "redirect to SSL" > trick for you. > > Craig > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
