tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hyatt, Gordon" <>
Subject How to force HTTPS on some of Struts-based site
Date Tue, 01 Apr 2008 18:22:06 GMT
I'm trying to add Authentication (over HTTPS) to a Struts-based web app
and am running into problems.


I can get Tomcat (5.5.26) to authenticate the user (using Basic login)
without issue, but I can't seem to get a Struts-based login form to
work.  Because of the way the passwords are encrypted, I need to use a
custom login (via Struts forms) or create a new Realm (something I'd
rather not start, due to time constraints).



The intent is as follows:

For the main site: plain HTTP access

For the administration and sample submission areas, require
authentication over HTTPS

Disallow DELETE and PUT methods from all areas.



I've configured Tomcat as follows:


In web.xml




  <display-name>Administration Methods</display-name>


    <web-resource-name>admin methods</web-resource-name>














I've also added a filter to capture all requests (/*) that checks the
requested path; if that path is a "privileged" path (admin or
submission), then check that the user is authenticated and within the
specified role (as configured in the filter).


I changed the role-name to * in the above auth-constraint and removed
(commented out) the <login-config> section of web.xml.


So my question is this: how do I force HTTPS on some portions of a
Struts-based web site.  With the filter, I can force authentication, but
not the HTTPS constraint.


Thanks, in advance




  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message