Johnathan, thanks a lot for that. It works fine with the
transport-guarantee element set to CONFIDENTIAL. If I try to hit any of the
pages in the defined directory, tomcat redirects the request to the port
defined as the 'redirectPort' of the connector and switches to https
without me having to code a thing.
Cheers,
Steve.
"Jonathan Eric
Miller" To: "Tomcat Users List"
<[EMAIL PROTECTED]>
<jemiller@uchicag cc:
o.edu> Subject: Re: How to enforce SSL???
26/04/2002 18:52
Please respond to
"Tomcat Users
List"
I think if you add something similar to the following to the web.xml file
for your application, it will make it automatically redirect from HTTP to
HTTPS.
<security-constraint>
<web-resource-collection>
<web-resource-name>Tomcat</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
As far as requiring a particular encryption strength, the only way I know
how to do it is to check the following attributes. i.e. as far as I know
there isn't a flag in the web.xml file that you can use in order to require
128 bit encryption.
req.getAttribute("javax.servlet.request.cipher_suite")
req.getAttribute("javax.servlet.request.key_size")
javax.servlet.request.cipher_suite: SSL_RSA_WITH_RC4_128_MD5
javax.servlet.request.key_size: 128
Jon
----- Original Message -----
From: "Steve D George" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, April 26, 2002 11:04 AM
Subject: How to enforce SSL???
> Hi, I'm working with a standalone Tomcat 4.0.2 on W2K. I've just gone
> through the SSL How To and created myself a little certificate and got
> everything working over SSL. I can access all my pages over HTTP or
HTTPS.
>
> My question now is how to enforce the use of HTTPS for a given page. The
> SSL How To says that any page that absolutely requires SSL should check
the
> protocol of the request and take the appropriate action, by which I
presume
> it means that you code a redirect to the same page but over https.
>
> Is this the standard way to enforce it though. I sort of imagined that
you
> would be able to say that any page in a certain directory should be
served
> over HTTPS and just let tomcat handle it for you?
>
> Thanks for any help,
>
> Have a great weekend everyone!
>
> Cheers,
>
> Steve.
>
>
> --
> To unsubscribe: <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
>
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
