According to http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security5.html another way would be to specify it in web.xml.
... If you specify CONFIDENTIAL or INTEGRAL as a security constraint, that type of security constraint applies to all requests that match the URL patterns in the Web resource collection, not just to the login dialog. Specify CONFIDENTIAL when the application requires that data be transmitted so as to prevent other entities from observing the contents of the transmission. Specify INTEGRAL when the application requires that the data be sent between client and server in such a way that it cannot be changed in transit. The following example code from a web.xml file shows this setting in context: <!-- SECURITY CONSTRAINT --> <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/index.jsp</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> Shawn On Fri, 2003-01-17 at 07:09, neal wrote: > Does anyone know how to *require* that a page be accessed only via a secure > connection? > > For instance, I *can* request a secure connection to a page by going to > "https://" and the url ... but how do I prevent a user from going to > "http://" to request that same page? > > Would this be a proxy thing or is something I can set in Tomcat? Is there > something that wouldn't require the overhead of reflecting upon every single > request at the Java level? > > Thanks. > neal > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- shawn <[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>