tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: How to force HTTPS on some of Struts-based site
Date Thu, 03 Apr 2008 00:49:48 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gordon,

Hyatt, Gordon wrote:
| The intent is as follows:
|
| For the main site: plain HTTP access
|
| For the administration and sample submission areas, require
| authentication over HTTPS
|
| Disallow DELETE and PUT methods from all areas.

[snip]

| <security-constraint>
|   <display-name>Administration Methods</display-name>
|   <web-resource-collection>
|     <web-resource-name>admin methods</web-resource-name>
|     <description/>
|     <url-pattern>/admin/*</url-pattern>
|     <http-method>GET</http-method>
|     <http-method>POST</http-method>
|   </web-resource-collection>
|   <auth-constraint>
|     <role-name>admin_user</role-name>
|   </auth-constraint>
|   <user-data-constraint>
|     <transport-guarantee>CONFIDENTIAL</transport-guarantee>
|   </user-data-constraint>
| </security-constraint>

That ought to fill your first 2 requirements. In order to prohibit PUT
and DELETE, you'll need another <security-condstraint> section that
specified no valid roles for the PUT and DELETE methods.

| I've also added a filter to capture all requests (/*) that checks the
| requested path; if that path is a "privileged" path (admin or
| submission), then check that the user is authenticated and within the
| specified role (as configured in the filter).

This should not be necessary; the container should already handle the
role checking (it's already configured in web.xml).

| I changed the role-name to * in the above auth-constraint and removed
| (commented out) the <login-config> section of web.xml.

Why?

| So my question is this: how do I force HTTPS on some portions of a
| Struts-based web site.  With the filter, I can force authentication, but
| not the HTTPS constraint.

<user-data-constraint> should be enough to make that happen. Are you
saying that a <security-constraint> with only the <transport-guarantee>
in it is not being respected by Tomcat?

Which version? Can you post your new web.xml instead of the original one
that has since been modified?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkf0KawACgkQ9CaO5/Lv0PBfQgCeLQFA0sJNAG7MfPoa2I52orWz
20QAnjZd1EwJIEQoBzoK/g8nFmaGGuIh
=s08N
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message