tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Milt Epstein <>
Subject Re: Require a secure connection
Date Sat, 18 Jan 2003 00:27:37 GMT
On Thu, 16 Jan 2003, neal wrote:

> Does anyone know how to *require* that a page be accessed only via a
> secure connection?
> For instance, I *can* request a secure connection to a page by going
> to "https://" and the url ... but how do I prevent a user from going
> to "http://" to request that same page?
> Would this be a proxy thing or is something I can set in Tomcat?  Is
> there something that wouldn't require the overhead of reflecting
> upon every single request at the Java level?
> Thanks.
> neal

I think if you're using Tomcat standalone, the <security-constraint>
technique that others have mentioned is the way to go.  But if you're
using Tomcat behind Apache, you should be able to control this by
controlling what resources are available to each "instance" of the
server (with http being one instance and https being another).  For
example, you can set them up as separate virtual hosts, and then
control what resources are accessible within each virtual host.  Works
for us.

Milt Epstein
Research Programmer
Integration and Software Engineering (ISE)
Campus Information Technologies and Educational Services (CITES)
University of Illinois at Urbana-Champaign (UIUC)

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message