Hi all,
I wonder if anyone can help me, I've recently taken over management of our
Tomcat webapp, and have been listening to the list for a while, although
don't know enough to contribute much yet I am afraid.
I'm using the following security-constraint to make sure that any user using
our payment module is transferred to https
<security-constraint>
<display-name>Secure Access</display-name>
<web-resource-collection>
<web-resource-name>OrderPayment</web-resource-name>
<url-pattern>/OrderPayment</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This works fine - if I request http://mydomain/OrderPayment I get
transferred to https.
However, after they've finished paying I really want to transfer them back
to http. I couldn't see a way of doing this using web.xml - the info I found
on the net suggested this isn't possible.
So, I thought I could write a filter to do this. I can easily write a filter
which uses sendRedirect to tranfer an https request to http, but I wanted to
know the best way to see which requests to do this to. I could hard code
into my filter the names of the pages I want to be secure, but I wondered if
there is any way of finding out programatically which requests are covered
by the security-contraint, and then any that are https and aren't covered,
do the redirect on.
Does that make sense? i.e. can I do something like :
if (request.getScheme().equals("https")
&& !request.hasConfidentialSecurityContraint()) {
(And does this in general sound like a sensible way of doing things?)
Thanks for any help,
Tamsin
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.3.3/295 - Release Date: 28/03/2006
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
