tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jon Eaves <...@eaves.org>
Subject Re: Require a secure connection
Date Fri, 17 Jan 2003 00:03:35 GMT

Hi Neal,

   <security-constraint>
       <display-name>Web Booking</display-name>
       <web-resource-collection>
           <web-resource-name>Web Booking
           </web-resource-name>
           <url-pattern>/web/*</url-pattern>
           <http-method>GET</http-method>
           <http-method>POST</http-method>
       </web-resource-collection>
       <user-data-constraint>
           <transport-guarantee>
               CONFIDENTIAL
           </transport-guarantee>
       </user-data-constraint>
   </security-constraint>

Will do what you want. This will switch the transport to HTTPS.
You can also check programatically using "request.isSecure()"
in the servlet to make sure the administrator has installed
your application and SSL correctly.


neal wrote:
> Does anyone know how to *require* that a page be accessed only via a secure
> connection?
> 
> For instance, I *can* request a secure connection to a page by going to
> "https://" and the url ... but how do I prevent a user from going to
> "http://" to request that same page?
> 
> Would this be a proxy thing or is something I can set in Tomcat?  Is there
> something that wouldn't require the overhead of reflecting upon every single
> request at the Java level?
> 
> Thanks.
> neal
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>
> 

-- 
Jon Eaves <jon@eaves.org>
http://www.eaves.org/jon/


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message