tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shawn <javajun...@koyuru.com>
Subject Re: Require a secure connection
Date Fri, 17 Jan 2003 01:11:39 GMT
According to
http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security5.html another
way would be to specify it in web.xml. 

... 

If you specify CONFIDENTIAL or INTEGRAL as a security constraint, that
type of security constraint applies to all requests that match the URL
patterns in the Web resource collection, not just to the login dialog.

 Specify CONFIDENTIAL when the application requires that data be
transmitted so as to prevent other entities from observing the contents
of the transmission. Specify INTEGRAL when the application requires that
the data be sent between client and server in such a way that it cannot
be changed in transit. The following example code from a web.xml file
shows this setting in context:

        <!-- SECURITY CONSTRAINT -->
          <security-constraint>
            <web-resource-collection>
              <web-resource-name>WRCollection</web-resource-name>
              <url-pattern>/index.jsp</url-pattern>
              <http-method>GET</http-method>
            </web-resource-collection>
            <auth-constraint>
              <role-name>user</role-name>
            </auth-constraint>
            <user-data-constraint>
              <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
        
        Shawn


On Fri, 2003-01-17 at 07:09, neal wrote:
> Does anyone know how to *require* that a page be accessed only via a secure
> connection?
> 
> For instance, I *can* request a secure connection to a page by going to
> "https://" and the url ... but how do I prevent a user from going to
> "http://" to request that same page?
> 
> Would this be a proxy thing or is something I can set in Tomcat?  Is there
> something that wouldn't require the overhead of reflecting upon every single
> request at the Java level?
> 
> Thanks.
> neal
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>
-- 
shawn <javajunkie@koyuru.com>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message