tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: How to force HTTPS on some of Struts-based site
Date Thu, 03 Apr 2008 17:00:58 GMT
Hash: SHA1


Hyatt, Gordon wrote:
| I had everything working correctly using container-based security (using
| digested passwords), including denying DELETE and PUT requests.  But,
| due to the "enhanced" password encryption requirements of this site (a
| requirements change near the time of delivery - a simple one-way digest
| was deemed insufficient), I cannot use container-based authentication.


| So I decided on the fallback to write a simple filter to handle the
| authentication and redirection with Struts-based forms (simply because
| the rest of the site uses Struts) and handle the actual authentication
| (including password encryption) in a Struts Action.  In order for the
| filter to receive the request, I had to remove some of the
| container-based security (the PUT and DELETE security-constraint still
| exists).

You should check out securityfilter
( which does exactly what you
want. Yes, you will have to write your own "realm" type thing, but at
least you are not tying yourself to Tomcat (which isn't so bad, really).

| The only other way I could think of handling the password encryption
| scheme was to write a custom Realm, which at the time, seemed
| over-the-top to me.  Looking back, perhaps a custom Realm would have
| been the way to go.

Yeah, it wouldn't have been too bad. If you want to use something a
little more flexible than Tomcat's built-in security, you could look at
securityfilter. It gives you a little more freedom with the requirements
(for instance, you can do drive-by logins) and doesn't tie you to a
specific container.

- -chris
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message