Return-Path: 
 <users-return-165571-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 92241 invoked from network); 3 Jul 2007 08:53:39 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 3 Jul 2007 08:53:39 -0000
Received: (qmail 8358 invoked by uid 500); 3 Jul 2007 08:53:30 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 7787 invoked by uid 500); 3 Jul 2007 08:53:27 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 7776 invoked by uid 99); 3 Jul 2007 08:53:27 -0000
Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Jul 2007 01:53:27 -0700
X-ASF-Spam-Status: No, hits=2.8 required=10.0
	tests=HTML_MESSAGE,INFO_TLD,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (herse.apache.org: domain of lyallex@gmail.com designates
 209.85.132.247 as permitted sender)
Received: from [209.85.132.247] (HELO an-out-0708.google.com) (209.85.132.247)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Jul 2007 01:53:24 -0700
Received: by an-out-0708.google.com with SMTP id b2so482613ana
        for <users@tomcat.apache.org>; Tue, 03 Jul 2007 01:53:03 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed;
        d=gmail.com; s=beta;
        h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references;
        b=ljyXjauRJI40C1DWdsjEgvSSbK1n2G9RwCyS6FxX9X8tG4qa8c4zDCqJjcPQ37u7U5KNdsVWHud1KeHMHrKruZwVFeV6ltIlHvvDWIOO5fKyBT8YC1un3JRnBXlsc/RulYyBQyRsKGcdc1bpAcMYejHmo7Xc85FSFFLleLXmJ6c=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=beta;
        h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references;
        b=dqbG0TsVCEpF6GzjIXb7CyyyBb+vu7xkSWA5mDdlgAOlEHuvJbagLqf/XDMCc1blheK+YtnxTf6K+Bb28PK186uPghtAnWl7Mh+BBmYX6uL8NZF3dR3kePa/oqhveRHxPHThZ19yDWy0kuKHfxOxQssdxdiOZ62MdUpwZh0VfUc=
Received: by 10.100.105.18 with SMTP id d18mr4190924anc.1183452783395;
        Tue, 03 Jul 2007 01:53:03 -0700 (PDT)
Received: by 10.100.44.4 with HTTP; Tue, 3 Jul 2007 01:53:03 -0700 (PDT)
Message-ID: <28174dd80707030153m56df3c7eha75f59ad140950f6@mail.gmail.com>
Date: Tue, 3 Jul 2007 09:53:03 +0100
From: Lyallex <lyallex@gmail.com>
To: users@tomcat.apache.org
Subject: Re: Old Chestnut (http - https) causing some confusion
In-Reply-To: <28174dd80706290951k2eec611eq52c8323af500df8@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_Part_107187_23736100.1183452783332"
References: <28174dd80706290951k2eec611eq52c8323af500df8@mail.gmail.com>
X-Virus-Checked: Checked by ClamAV on apache.org

------=_Part_107187_23736100.1183452783332
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi

Just a short note to say thanks to those that replied to my post

I've spent the past three days trying to figure out the best approach given
all the options available and I have something working. It's doesn't work
quite how I'd like, the main problem being that when I get a
RequestDispatcher in a Servlet and forward to a resource that has a mapping
to a Filter the Filter doesn't fire. I think I understand why (forwarding
passes the request and response to another resource, it's not like making a
request) but it doesn't really help me. Still, like someone said, it's all a
matter of tradeoffs.

Regards
Duncan



On 6/29/07, Lyallex <lyallex@gmail.com> wrote:
>
> Hi
>
> Java 1.5.0_10
> Tomcat 5.5.17
>
> I've just spent the past couple of hours reading past postings to this
> list at marc.info
>
> The subject I'm interested in is the efficient use of ssl/https.
> I have managed to get the 'redirection' to https working with the
> following
> entry in web.xml (amongst other config type things)
>
>   <security-constraint>
>    ...
>     <user-data-constraint>
>     <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>     </user-data-constraint>
>   </security-constraint>
>
> The problem, as I'm sure you've guessed by now is that once an account is
> logged in
> I want the client to be able to browse the site via http, not https.
>
> I know this issue has been around since at least 2004 (this is as far back
> as I went)
>
> The Tomcat Docs at http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.htmlstate
>
> <quote>
>
> "... Also, while the SSL protocol was designed to be as efficient as
> securely possible,
> encryption/decryption is a computationally expensive process from a
> performance standpoint.
> It is not strictly necessary to run an entire web application over SSL,
> and indeed a developer
> can pick and choose which pages require a secure connection and which do
> not..."
>
> </quote>
>
> Marvelous... thing is I've seen various solutions suggested from fronting
> Tomcat with Apache httpd and
> using something called modRedirect to writing some sort of filter. Have
> the experts come to some sort of conclusion
> as to the best way to 'pick and choose which pages require a secure
> connection...'  given the various security issues that seem to be of concern
> etc.
>
> Many thanks for reading this, I'm sure you're all bored to tears by this
> subject now.
>
> Rgds
> Duncan

------=_Part_107187_23736100.1183452783332--