tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hyatt, Gordon" <Gordon.Hy...@joslin.harvard.edu>
Subject How to force HTTPS on some of Struts-based site
Date Tue, 01 Apr 2008 18:22:06 GMT
I'm trying to add Authentication (over HTTPS) to a Struts-based web app
and am running into problems.

 

I can get Tomcat (5.5.26) to authenticate the user (using Basic login)
without issue, but I can't seem to get a Struts-based login form to
work.  Because of the way the passwords are encrypted, I need to use a
custom login (via Struts forms) or create a new Realm (something I'd
rather not start, due to time constraints).

 

 

The intent is as follows:

For the main site: plain HTTP access

For the administration and sample submission areas, require
authentication over HTTPS

Disallow DELETE and PUT methods from all areas.

 

 

I've configured Tomcat as follows:

 

In web.xml

 

...

<security-constraint>

  <display-name>Administration Methods</display-name>

  <web-resource-collection>

    <web-resource-name>admin methods</web-resource-name>

    <description/>

    <url-pattern>/admin/*</url-pattern>

    <http-method>GET</http-method>

    <http-method>POST</http-method>

  </web-resource-collection>

  <auth-constraint>

    <role-name>admin_user</role-name>

  </auth-constraint>

  <user-data-constraint>

    <transport-guarantee>CONFIDENTIAL</transport-guarantee>

  </user-data-constraint>

</security-constraint>

 

I've also added a filter to capture all requests (/*) that checks the
requested path; if that path is a "privileged" path (admin or
submission), then check that the user is authenticated and within the
specified role (as configured in the filter).

 

I changed the role-name to * in the above auth-constraint and removed
(commented out) the <login-config> section of web.xml.

 

So my question is this: how do I force HTTPS on some portions of a
Struts-based web site.  With the filter, I can force authentication, but
not the HTTPS constraint.

 

Thanks, in advance

 

 

Gord


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message