tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Milt Epstein <mepst...@uiuc.edu>
Subject RE: Apache-Tomcat
Date Fri, 25 Oct 2002 21:06:28 GMT
On Fri, 25 Oct 2002, Turner, John wrote:

> Thanks, but I think there is a "better" way to do it, such that the
> request never even gets to the servlet or JSP page if it isn't
> secure when it should be.  I just don't know it.

I'd think the "cleanest" way to do this would be by putting
appropriate directives in the http and https sections of the
httpd.conf file.  That is (assuming mod_jk is being used), have the
JkMount's for http-OK servlets/JSPs in the section that applies to the
root/http instance/virtual host, and have the JkMounts for https-OK
servlets/JSPs in the section that applies to the https
instance/virtual host.

How easy this would be, or whether it can be done at all, might depend
on how things are set up regarding the directory structure of the web
applications.  For example, if you have totally separate
directories/contexts for the http and https stuff, you're probably OK.
If you have them mixed, i.e. one directory/context that has both http
and https stuff, you might be in trouble.  Of course, that may be  a
bad design for a number of reasons (including the problem of mixing
http and https in the same context and sessions, which has been
discussed here previously).


> > -----Original Message-----
> > From: Graham King [mailto:graham@gointernet.co.uk]
> > Sent: Friday, October 25, 2002 8:29 AM
> > To: Tomcat Users List
> > Subject: Re: Apache-Tomcat
> >
> >
> > See javax.servlet.ServletRequest.isSecure()
> >
> >   This should do it:
> >
> >   if ( request.isSecure() ) {
> >      // All is well
> >   }
> >   else {
> >      // Redirect to https site
> >   }
> >
> >
> > Turner, John wrote:
> > > I only know the inelegant, brute force way, which is to
> > check the request
> > > object for the request type, and if it's "http" when it
> > should be "https",
> > > do a redirect to the same URL but with "https" prepended.
> > >
> > > There's probably a much more robust and correct way to do
> > this using Tomcat
> > > security restrictions and realms, but I haven't worked with
> > them that much,
> > > so I don't want to give you wrong information.  Lots of
> > people on the list
> > > have done this, though, so perhaps the best way to proceed
> > would be to start
> > > a new thread with a new subject about restricting
> > particular URLs to SSL.
> > >
> > > John
> > >
> > >
> > >
> > >>-----Original Message-----
> > >>From: Christie I [mailto:christie_iii@yahoo.com]
> > >>Sent: Friday, October 25, 2002 1:04 AM
> > >>To: Tomcat Users List
> > >>Subject: RE: Apache-Tomcat
> > >>
> > >>
> > >>
> > >>Hi
> > >>
> > >>Thank you very much John. It worked!. I have one last
> > >>problem. Iam running Openssl. Iam having *.jsp files in my
> > >>webapps/myproject directory that some of the files needs to
> > >>be accessed by https and not thru http? How to do this?
> > >>
> > >>for eg :https://0.0.0.0/welcome.jsp  should not be accessed
> > >>thru http://0.0.0.0 ? How to do restrict this?
> > >>
> > >>Thanks in advance

Milt Epstein
Research Programmer
Integration and Software Engineering (ISE)
Campus Information Technologies and Educational Services (CITES)
University of Illinois at Urbana-Champaign (UIUC)
mepstein@uiuc.edu


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message