tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Randall <ran...@hotmail.com>
Subject RE: j_security_check with https
Date Wed, 07 Jan 2009 13:38:17 GMT

Hello,

I'm not going to bother responding to the many posts that said the solution I mentioned was
wrong, instead I'll just provide the example of how to do it, since it works.

====

..... lines removed .....

package blah;

..... lines removed .....

public final class SomeFilterClass implements Filter {

..... lines removed .....

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse rsp = (HttpServletResponse) response;
        rsp.sendRedirect(req.getRequestURI());
        filterChain.doFilter(request, response);
    }

..... lines removed .....

}
=====

And below is what the web.xml looks like:

=====

.... lines removed .....

  <filter>
      <filter-name>SomeFilterClass</filter-name>
      <filter-class>blah.SomeFilterClass</filter-class>
  </filter>
  <filter-mapping>
      <filter-name>SomeFilterClass</filter-name>
      <url-pattern>/ssl/*</url-pattern>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>INCLUDE</dispatcher>
      <dispatcher>ERROR</dispatcher>
  </filter-mapping>

..... lines removed .....

  <security-constraint>
      <web-resource-collection>
          <web-resource-name>RequiresLogin</web-resource-name>
          <url-pattern>/html/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
          <role-name>somerole</role-name>
      </auth-constraint>
  </security-constraint>
  
  <security-constraint>
      <web-resource-collection>
          <web-resource-name>RequiresSSL</web-resource-name>
          <url-pattern>/ssl/*</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
  </security-constraint>
  
  <security-role>
      <role-name>somerole</role-name>
  </security-role>
  
  <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
          <form-login-page>/ssl/login.jsp</form-login-page>
          <form-error-page>/ssl/login-error.jsp</form-error-page>
      </form-login-config>
  </login-config>

..... lines removed .....

=====

Of course you'll need to change the login/security constraint URLs and role name to match
those in your environment.

For anyone who stated the earlier statements were incorrect, I encourage you to provide another
"better" working example.  This one works for me and is used by other industry professionals.

Regards,

Justin

Here is an example:

> Date: Wed, 7 Jan 2009 09:35:33 +0100
> From: rc46fi@googlemail.com
> To: users@tomcat.apache.org
> Subject: Re: j_security_check with https
> 
> Hi Justin,
> 
> On Wed, Jan 7, 2009 at 4:13 AM, Justin Randall <randju@hotmail.com> wrote:
> >
> > Create a Filter subclass with the sole purpose of having its "doFilter" method call
"sendRedirect" on the HttpServletResponse object.  Map this Filter to the same URL pattern
you use for SSL and make sure to use the <dispatcher> tags for FORWARD, INCLUDE, ERROR,
and whatever other RequestDispatcher operations you want to ensure use SSL.
> >
> 
> You've got any example using this solution?
> 
> Gregor
> -- 
> just because your paranoid, doesn't mean they're not after you...
> gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
> gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

_________________________________________________________________
Keep in touch and up to date with friends and family. Make the connection now.
http://www.microsoft.com/windows/windowslive/
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message