tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Smith <>
Subject Re: Restricting SSL access within webapp
Date Tue, 05 Aug 2014 14:04:29 GMT
All, Thanks for the thoughtful advice and replies.

To answer a few questions, belatedly, yes it would be an option to move the
admin tools to another instance of TC, as Leo suggested -- in a way a
better one, since it wouldn't need session replication, could exist on a
single server since the traffic would be be trivial, and would be
potentially more secure. I'll probably do this in the long term.

If not that, then url-rewrites or a filter to bounce users out of https is
another simpler option, as Chris suggested.

Based on the information about SSL not being that expensive, I'll just
leave it in for now, at the clients discretion, as Charles originally
suggested. Our user base is probably not going to suddenly all jump on
https, so I can watch and see if it affects performance. The area that
mandatorily requires SSL is configured with a security constraint -- for
the rest of the site, I'll leave it up to the user.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message