tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lyallex <lyal...@gmail.com>
Subject Re: Tomcat cannot access the resources in an HTTPS webapp
Date Mon, 16 Jul 2007 11:35:00 GMT
Hi

There seems to be an awful lot of confusion on this list about
container managed security and https ... I know I was confused when I
started with it.

As I see it the two are not really connected.

I think what you want to do is to force an https request for certain
resources in your application.

One way of doing this is to add this to your security constraint

<user-data-constraint>
	<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

Of course, as always, this is not the complete answer but it should
get you started.

(see http://java.sun.com/j2ee/dtds/web-app_2_2.dtd for where this goes
in web.xml)

If you were to configure the
<auth-method>FORM</auth-method> (for example)
with a suitable login form then when you attempt to access a protected
resource that has the required transport guarantee associated with it,
access to that resource will not only require a user to log in but
access to the resource itself will 'automatically' be over https.

As usual I'm sure there are other (better) ways of doing this but it
works for me.

I hope this helps.

Rgds
Duncan

On 7/16/07, Dimitris Mouchritsas <dvm@mail.daedalus.gr> wrote:
> Mark Thomas wrote:
> > Dimitris Mouchritsas wrote:
> >
> >>   <login-config>
> >>     <auth-method>HTTPS</auth-method>
> >>     <realm-name>ORA Examples</realm-name>
> >>   </login-config>> >>
> >
> > There is no such authentication method defined in the spec. If you
> > want client certificate authentication then the correct value is
> > CLIENT-CERT.
> >
> > Mark
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> >
>
> No, I don't want client certification at the moment, only the encryption
> that https offers.
> So if I want a subdirectory (e.g. admin) of my webapp, or my entire
> webapp to be accessible
> _only_ under https what should I do?
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message