Return-Path: 
 <users-return-136366-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 16716 invoked from network); 29 Nov 2005 15:35:09 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 29 Nov 2005 15:35:09 -0000
Received: (qmail 34556 invoked by uid 500); 29 Nov 2005 15:34:48 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 34519 invoked by uid 500); 29 Nov 2005 15:34:48 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 34484 invoked by uid 99); 29 Nov 2005 15:34:47 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 29 Nov 2005 07:34:47 -0800
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_HELO_PASS,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (asf.osuosl.org: domain of funkman@joedog.org designates
 204.74.20.252 as permitted sender)
Received: from [204.74.20.252] (HELO sid.armstrong.com) (204.74.20.252)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 29 Nov 2005 07:36:17 -0800
Received: from [10.38.20.134] (tafunk-lt.americas.armstrong.com
 [10.38.20.134])
	by sid.armstrong.com (8.12.8p1/8.12.8) with ESMTP id jATFeXuH020197
	for <users@tomcat.apache.org>; Tue, 29 Nov 2005 10:40:33 -0500
Message-ID: <438C7501.8080206@joedog.org>
Date: Tue, 29 Nov 2005 10:34:25 -0500
From: Tim Funk <funkman@joedog.org>
Organization: Human being
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
 rv:1.7.11) Gecko/20050728
X-Accept-Language: en-us, en, es-mx, de, sv
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: web.xml question
References: <BD261180E6D35F4D9D32F3E44FD3D90101E24F31@EMPBEDEX.empirix.com>
In-Reply-To: <BD261180E6D35F4D9D32F3E44FD3D90101E24F31@EMPBEDEX.empirix.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

Security constraints are only imposed on the incoming URL.

Long story short - you'll need to place the entire webapp in SSL. There is no 
clean way to use declarative statements to force the login to be SSL and the 
rest of the webapp be nonssl.

-Tim

Klotz Jr, Dennis wrote:

> Hello all. I hope your day is going well.
> 
> I need your help.
> 
> I cannot get a forms based login page to use SSL when I think I've setup
> the web.xml correctly. 
> 
> Why doesn't my login.jsp use HTTPS when tomcat is invoking it for
> authorization? (more details at the bottom)
> 
> Here are the relevant sections of my web.xml:
> 
> -----------------------------------------
> 
> <!-- BEGIN_LOGIN_SECURITY -->
>    <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>Login page</web-resource-name>
>       <url-pattern>/login.jsp</url-pattern>
>       <http-method>GET</http-method>
>       <http-method>POST</http-method>
>     </web-resource-collection>
> 
>     <!--   Enable this for SSL -->
> 
>     <user-data-constraint>
>       <transport-guarantee>CONFIDENTIAL
>       </transport-guarantee>
>     </user-data-constraint>
>   </security-constraint>
> 
>   <!-- END_LOGIN_SECURITY -->
> 
>   <!-- ======================================= -->
> 
>   <!-- LOGIN AUTHENTICATION -->
>   <!-- Form authentaication requires SSL -->
>        <login-config>
>            <auth-method>FORM</auth-method>
>            <realm-name>Application</realm-name>
>            <form-login-config>
>                <form-login-page>/login.jsp</form-login-page>
>                <form-error-page>/error_401.html</form-error-page>
>            </form-login-config>
>        </login-config>
> 
> 
> 
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>VoIP Monitor Applications</web-resource-name>
>       <url-pattern>/CallQDiagnostics.jsp</url-pattern>
>       <url-pattern>/report_index.jsp</url-pattern>
>       <url-pattern>/CallQAnalysis.jsp</url-pattern>
>       <url-pattern>/index.jsp</url-pattern>
>       <http-method>GET</http-method>
>       <http-method>POST</http-method>
>     </web-resource-collection>
> 
>     <auth-constraint>
>       <role-name>monitor_tier1</role-name>
>       <role-name>monitor_guest</role-name>
>       <role-name>monitor_admin</role-name>
>       <role-name>monitor_tier3</role-name>
>     </auth-constraint>
> 
>     <!--   Enable this for SSL -->
> 
>     <user-data-constraint>
>       <transport-guarantee>NONE
>       </transport-guarantee>
>     </user-data-constraint>
> 
>   </security-constraint>
> 
> ----------------------------------------------------------
> 
> So here is what happens. I type the full URL to the CallQAnalsysis.jsp
> (for example) and the login.jsp is invoked BUT it has NOT been
> redirected to the HTTPS connector (which is enabled and working).
> 
> Now if I type the address of the login.jsp directly, then the connection
> is redirected over HTTPS. 
> 
> Why doesn't the login.jsp use HTTPS when tomcat is invoking it for
> authorization?
> 
> Any help figuring out what I am doing wrong is greatly appreciated.
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org