tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <Craig.McClana...@eng.sun.com>
Subject Re: SSL
Date Tue, 13 Feb 2001 19:53:14 GMT
Julie Ruiz wrote:

> I have installed Tomcat+SSL.  I need that my aplications be acceded only through a secure
URL.
> How can I configure the context where are going to be the aplications that accede through
a secure URL, but canĀ“t be accede by a non secure URL??
>

For Tomcat+SSL stand-alone, you have a couple of choices:

* If you do not need the non-SSL port for anything else, you
  can disable it by removing the <Connector> element for port 8080
  from your "conf/server.xml" file.

* If you need non-SSL for other webapps and simply want to protect
  this one, you can add a security constraint to your web.xml file:

    <security-constraint>
        <web-resource-collection>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

In this constraint, the URL pattern of "/*" protects your entire webapp (you could also require
SSL on only part of it, if you wished), while the
CONFIDENTIAL requirement means that SSL is required.

>
> Julie.
>

Craig McClanahan



Mime
View raw message