Justin Randall wrote:
> Hello,
>
> I'm not going to bother responding to the many posts that said the solution I
> mentioned was wrong, instead I'll just provide the example of how to do it,
> since it works.
>
> ====
>
> ..... lines removed .....
>
> package blah;
>
> ..... lines removed .....
>
> public final class SomeFilterClass implements Filter {
>
> ..... lines removed .....
>
> public void doFilter(ServletRequest request, ServletResponse response,
> FilterChain filterChain) throws IOException, ServletException {
> HttpServletRequest req = (HttpServletRequest) request;
> HttpServletResponse rsp = (HttpServletResponse) response;
> rsp.sendRedirect(req.getRequestURI());
> filterChain.doFilter(request, response);
> }
>
> ..... lines removed .....
>
> }
> =====
>
> And below is what the web.xml looks like:
>
> =====
>
> .... lines removed .....
>
> <filter>
> <filter-name>SomeFilterClass</filter-name>
> <filter-class>blah.SomeFilterClass</filter-class>
> </filter>
> <filter-mapping>
> <filter-name>SomeFilterClass</filter-name>
> <url-pattern>/ssl/*</url-pattern>
> <dispatcher>FORWARD</dispatcher>
> <dispatcher>INCLUDE</dispatcher>
> <dispatcher>ERROR</dispatcher>
> </filter-mapping>
>
> ..... lines removed .....
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>RequiresLogin</web-resource-name>
> <url-pattern>/html/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>somerole</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>RequiresSSL</web-resource-name>
> <url-pattern>/ssl/*</url-pattern>
> </web-resource-collection>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> <security-role>
> <role-name>somerole</role-name>
> </security-role>
>
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>/ssl/login.jsp</form-login-page>
> <form-error-page>/ssl/login-error.jsp</form-error-page>
> </form-login-config>
> </login-config>
>
> ..... lines removed .....
>
> =====
>
> Of course you'll need to change the login/security constraint URLs and role
> name to match those in your environment.
>
> For anyone who stated the earlier statements were incorrect, I encourage you
> to provide another "better" working example. This one works for me and is
> used by other industry professionals.
Your example is mostly correct, in that you have the transport guarantee
in place for a given path which will force a redirect to the configured
HTTPS port; it's just that the additional filter is surplus.
Thus the first example I gave would seem to be an improvement.
It is also used by 'industry professionals' and works perfectly well for me.
Am happy to be corrected if I'm wrong.
p
> Regards,
>
> Justin
>
> Here is an example:
>
>> Date: Wed, 7 Jan 2009 09:35:33 +0100
>> From: [email protected]
>> To: [email protected]
>> Subject: Re: j_security_check with https
>>
>> Hi Justin,
>>
>> On Wed, Jan 7, 2009 at 4:13 AM, Justin Randall <[email protected]> wrote:
>>> Create a Filter subclass with the sole purpose of having its "doFilter"
>>> method call "sendRedirect" on the HttpServletResponse object. Map this
>>> Filter to the same URL pattern you use for SSL and make sure to use the
>>> <dispatcher> tags for FORWARD, INCLUDE, ERROR, and whatever other
>>> RequestDispatcher operations you want to ensure use SSL.
>>>
>> You've got any example using this solution?
>>
>> Gregor
>> --
>> just because your paranoid, doesn't mean they're not after you...
>> gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
>> gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> For additional commands, e-mail: [email protected]
>>
>
> _________________________________________________________________
> Keep in touch and up to date with friends and family. Make the connection now.
> http://www.microsoft.com/windows/windowslive/
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
