Hi, > -----Original Message----- > From: John Smith [mailto:tomcat.ran...@gmail.com] > Sent: Friday, August 1, 2014 11:43 PM > To: Tomcat Users List > Subject: Re: Restricting SSL access within webapp > > On Fri, Aug 1, 2014 at 4:34 PM, Caldarale, Charles R < > chuck.caldar...@unisys.com> wrote: > > > > From: John Smith [mailto:tomcat.ran...@gmail.com] > > > Subject: Restricting SSL access within webapp > > > > > What's the correct way to selectively restrict https to only one area of > > a webapp? > > > > Why would you want to do that? Other than a few extra server CPU cycles, > > what's the harm in allowing SSL anywhere at the client's discretion? > > > > - Chuck > > > > From the docs: > > Also, while the SSL protocol was designed to be as efficient as securely > possible, encryption/decryption is a computationally expensive process from > a performance standpoint. It is not strictly necessary to run an entire web > application over SSL, and indeed a developer can pick and choose which > pages require a secure connection and which do not. For a reasonably busy > site, it is customary to only run certain pages under SSL, namely those > pages where sensitive information could possibly be exchanged. > > Unfortunately how to do this isn't explained. I might use a filter. Our > site handles 500,000 visitors a day on two TC instances. Believe me, I need > to consider performance costs.
Note, that putting a complete website on SSL (and not only parts of it) can help protecting users from SSL Stripping attacks: This is where an Man-In-The-Middle manipulates the HTTP traffic, so that all references to HTTPS (e.g. a Link to a "Login" form) are substituted by HTTP ones, so that when the user goes to a part of the website which should be accessed over SSL, he accesses it over plain HTTP so the attacker can intercept all traffic (assuming the user doesn't know if the login part of this particular website should only be accessed over HTTPS and not HTTP). Therefore, I think it’s a good practice (at least for security-sensitive sites and if the users are not so technologically adept to know to access e.g. the Login page only over HTTPS) to use SSL for the whole website, not only for a part of it. Additionally, HTTP Strict Transport Security [1] will help to prevent that the user accidentally views a website over HTTP instead of HTTPS, and requires that the whole website uses SSL. Regards, Konstantin Preißer [1] http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
