wmueller wrote: > I have a small web application. Some pages are free to visit for everyone > but some other are only available after login (username/password). I try to > make the login page and all other pages after the login to use https. > > you can think of a application structure like this: > > /public/page.xhtml > /private/login.xhtml > /private/morepage.xhtml > > while all pages under /public use http and all pages under private should > only accessible with https
You should create a security constraint for the /private branch of the pages in the web.xml file of your application. The following frangment should be rather close to what you're looking for (/private/* require that user is authenticated and are only available through a protected connection). <security-constraint> <web-resource-collection> <url-pattern>/private/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> On top of that, you'll naturally need to set up Tomcat so that it also accepts https connections. -- ..Juha --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]