tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@joedog.org>
Subject Re: Old Chestnut (http - https) causing some confusion
Date Fri, 29 Jun 2007 17:40:07 GMT
What you'll really want is to ditch the transport guarantee clause in 
web.xml and create a filter which will be smart enough to force/unforce 
you from SSL.

For example:
doFilter(...)  {
   boolean isSSLRequired = magicYesNo(request);
   if (isSSLRequired && !request.isSecure()) {
      doSomeRedirectToSSL(...);
      return;
   } else if (!isSSLRequired && request.isSecure()) {
      doSomeRedirectToNotSSL(...);
      return;
   }
   filter.doChain(...);
}

-Tim

Lyallex wrote:
> Hi
> 
> Java 1.5.0_10
> Tomcat 5.5.17
> 
> I've just spent the past couple of hours reading past postings to this list
> at marc.info
> 
> The subject I'm interested in is the efficient use of ssl/https.
> I have managed to get the 'redirection' to https working with the following
> entry in web.xml (amongst other config type things)
> 
>  <security-constraint>
>   ...
>    <user-data-constraint>
>    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>    </user-data-constraint>
>  </security-constraint>
> 
> The problem, as I'm sure you've guessed by now is that once an account is
> logged in
> I want the client to be able to browse the site via http, not https.
> 
> I know this issue has been around since at least 2004 (this is as far back
> as I went)
> 
> The Tomcat Docs at 
> http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.htmlstate
> 
> <quote>
> 
> "... Also, while the SSL protocol was designed to be as efficient as
> securely possible,
> encryption/decryption is a computationally expensive process from a
> performance standpoint.
> It is not strictly necessary to run an entire web application over SSL, and
> indeed a developer
> can pick and choose which pages require a secure connection and which do
> not..."
> 
> </quote>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message