tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@joedog.org>
Subject Re: encrypt a single page
Date Tue, 13 May 2003 15:31:16 GMT
http://tomcatfaq.sourceforge.net/security.html Might help forcing a single 
page to be secure and forcing all other pages to not be secure.

As for detecting what port is used for what, you might need to parse 
server.xml to derive the ports. You can "easily" do this at webapp 
initialization with digester. If you have JMX enabled (and depending on 
tomcat version) - then you could could always use JMX to look up the right 
bean (I can't remember right now) to get port number.

But in any case, regardless of app server, being a florist looks like a 
pretty good option.

-Tim

John Russell wrote:
> Just for my own piece of mind, can someone answer me this....
> 
> Is the question below 
> 
> a) so boneheaded that no one will waste the keystrokes to respond to it?
> 
> or
> 
> b) not possible, go become a florist, its easier on the eyes?
> 
> Thanks
> 
> On Tue, 2003-05-13 at 10:15, John Russell wrote:
> 
>>I have found the quote below in the SSL howto located at
>>
>>http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html
>>
>>This is _exactly_ what I want to do, (only encrypt a single page) but
>>can't for the life of me figure out how to _only_ encrypt that page and
>>no others after it. 
>>
>>I understand how to check the incoming scheme from a jsp to determine
>>whether or not a request was made using https, but if it was and I want
>>to switch back to http how can I do that?  
>>
>>I could paste a new url together and send a redirect, but how do I know
>>what ports are configured by the server as the secure and not secure
>>ports?  We are using non-standard ports so those are required parts of
>>the url. I get rashes when I hard code numbers into my code and a user
>>may change the ports in the Tomcat config file. 
>>
>>So in summary, can anyone tell me the standard way to only use https on
>>a single page and then switch back to http.  Thanks for you time.
>>
>>
>>
>>
>>---------------------------------------------------
>>Quote:
>>
>>It is not strictly necessary to run an entire web application over SSL,
>>and indeed a developer can pick and choose which pages require a secure
>>connection and which do not. For a reasonably busy site, it is customary
>>to only run certain pages under SSL, namely those pages where sensitive
>>information could possibly be exchanged. This would include things like
>>login pages, .... Any page within an application can be requested over a
>>secure socket by simply prefixing the address with https: instead of
>>http:. Any pages which absolutely require a secure connection should
>>check the protocol type associated with the page request and take the
>>appropriate action of https is not specified.
>>
>>----------------------------------------------------
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message