I can't get this to work. Perhaps Craig (or someone else - I'm not picky) could shed
some light.
Here's what I did:
1. I rebuilt Tomcat3.2.1 (dist) as specified in Henri Gomez's how-to titled Tomcat and
SSL. No problem.
2. I copied the 3 jsse jar files (jssse.jar, jcert.jar, and jnet.jar) to
$TOMCAT_HOME/lib.
3. I specifed the JSP page that I want protected with SSL, like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Credit Card Page</web-resource-name>
<url-pattern>/WEB-INF/jsp/createAccount/content.jsp</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
When I access the JSP page specified with the url-pattern, I don't see the little
padlock in IE5.5.
btw, if I specify a url-pattern of /*, as specified below, I can't access the
application at all -- I get
a 403 (forbidden) error when I try to access the file specified in the
welcome-file-list. ;-(
Help?!?
TIA,
david
"Craig R. McClanahan" wrote:
> For Tomcat+SSL stand-alone, you have a couple of choices:
>
> * If you do not need the non-SSL port for anything else, you
> can disable it by removing the <Connector> element for port 8080
> from your "conf/server.xml" file.
>
> * If you need non-SSL for other webapps and simply want to protect
> this one, you can add a security constraint to your web.xml file:
>
> <security-constraint>
> <web-resource-collection>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> In this constraint, the URL pattern of "/*" protects your entire webapp (you could
>also require SSL on only part of it, if you wished), while the
> CONFIDENTIAL requirement means that SSL is required.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
