Hi, Thanks for the info about the transport-guarantee. I did try to use it. Here is the config to exclude xsl files and allow all others through to HTTPS.
<security-constraint> <web-resource-collection> <web-resource-name>Notify page, accessed internally by application</web-resource-name> <url-pattern>*.xsl</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <!-- Force SSL for entire site --> <security-constraint> <web-resource-collection> <web-resource-name>Entire Site</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> I would expect with this configuration that when i try to load any xsl through http on my browser, no redirection to https happens. But it doesnt seem to be happening. Is my configuraiton missing something. ? BTW, i use tomcat 6.0.18. Thanks, Anand On Fri, Feb 6, 2009 at 11:31 AM, Caldarale, Charles R < chuck.caldar...@unisys.com> wrote: > > From: Anand HS [mailto:anan...@gmail.com] > > Subject: A question about excluding URL patterns from filters > > > > I have a filter that takes all requests that try to hit http and > > redirects them through https. > > Why are you using a filter? Why not the <transport-guarantee> mechanism > defined in the servlet spec? > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >