tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: Filters don't affect request dispatcher forward
Date Tue, 03 Dec 2002 01:31:47 GMT


On 2 Dec 2002, Alexander Wallace wrote:

> Date: 02 Dec 2002 18:41:26 -0600
> From: Alexander Wallace <tomcater@rwsoft-online.com>
> Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> Subject: Filters don't affect request dispatcher forward
>
> Hi there. I wrote a filter to ensure that resources that i want accessed
> using https are, and the ones that don't need to aren't.
>
> I found out that filters are only applied if the request came from the
> user, by typing the url or using a link, etc. They are not used if the
> resource is called using request dispatcher.
>
> Supposedly this is becouse of a lack of specifications in the servlet
> api, but that should be fixed in the api used by tomcat 5.
>
> Is all this correct?

Yes, basically.

> Is there a work around while tomcat 5 is released?

You can use a security constraint with a <transport-guarantee> element to
require that certain accesses be performed only on SSL connections.  Then,
the container will do the necessary redirect for you.

An example that requires any (context-relative) path starting with "/foo"
or "/bar" to be done on SSL would look like this:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>SSL-Only Portion Of This Webapp</web-resource-name>
      <!-- Specify as many patterns as you need here -->
      <url-pattern>/foo/*</url-pattern>
      <url-pattern>/bar/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

Note that, because there is no <auth-constraint>, login will not be
required -- only execution over SSL will be required, and only for URLs in
the named "subdirectories".  All other accesses to the webapp will be
allowed over either SSL or non-SSL requests.

>
> Also, does someone have or knows of a proven filter that redirects to
> http or https? Mine seesm to work ok, but i want to make sure I'm not
> missing something.
>

With the above security constraint, you won't need a filter at all :-).

> Thanks in advance!
>

Craig


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message