You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by lu...@fontanus.com on 2003/01/27 20:44:09 UTC
HTTPS --> HTTP redirecting
Hello,
Is it possible to configure Tomcat (4.1.x) in such a way that a request can be
redirected automatically from HTTPS to HTTP port?
Let's assume that a Website has two separate (non-overlapping) sets of
resources ("/non_secure_resources/* and "/secure_resources/* respectively) and
web.xml descriptor defines the following security constraints:
<security-constraint>
<web-resource-collection>
<web-resource-name>Non Secure Resources</web-resource-name>
<url-pattern>/non_secure_resources/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Resources</web-resource-name>
<url-pattern>/secure_resources/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Then any HTTP request matching "/secure_resources/*" will be automatically
redirected (assuming that an SSL certificate is installed). However, HTTPS
requests matching "/non_secure_resources/*"
(i.e. "https://non_secure_resources/non-secure.jsp) are not redirected back to
HTTP as I would expect from the first security constraint. The problem that I'm
currently having is that some JSP pages under "/secure_resources" have links
pointing to pages within the non-secure portion of the Website,
i.e. "/secure_resources/secure.jsp" contains a link "<a
href="/non_secure_resources/non-secure.jsp">). (Also, please notice that these
links doesn't explicitly specify the protocol, i.e. "http://" because I don't
want to hardcode the whole URL (some links are relative)). Considering this,
when such a link is followed the protocol (HTTPS) is not changed back to HTTP.
Does anyone know if there is a solution to this other than using absolute URLs
with the HTTP protocol hardcoded in them?
Thanks,
Lukasz Szelag
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: HTTPS --> HTTP redirecting
Posted by lu...@fontanus.com.
Quoting Bill Barker <wb...@wilshire.com>:
> AFAIK, using absolute URLs is the only supported way to go. However, it
> would be easy enough to write a Filter that does the redirect for you:
>
> public class MyFilter implements Filter {
> public void init(FilterConfig conf) {}
> public void destroy() {}
> public void doFilter(ServletRequest req, ServletResponse res, FilterChain
> chain)
> throws ServletException,IOException {
> if( req.isSecure() && res instanceof HttpServletResponse ) {
Thanks. Actually, I already wrote a similar filter to solve the problem. Is
there any particular reason for which you are doing an additional check (res
instanceof HttpServletResponse) in your code?
Lukasz Szelag
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: HTTPS --> HTTP redirecting
Posted by Bill Barker <wb...@wilshire.com>.
<lu...@fontanus.com> wrote in message
news:1043696649.3e358c091e2ca@www.fontanus.net...
> Hello,
>
> Is it possible to configure Tomcat (4.1.x) in such a way that a request
can be
> redirected automatically from HTTPS to HTTP port?
>
> Let's assume that a Website has two separate (non-overlapping) sets of
> resources ("/non_secure_resources/* and "/secure_resources/* respectively)
and
> web.xml descriptor defines the following security constraints:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Non Secure Resources</web-resource-name>
> <url-pattern>/non_secure_resources/*</url-pattern>
> </web-resource-collection>
>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Secure Resources</web-resource-name>
> <url-pattern>/secure_resources/*</url-pattern>
> </web-resource-collection>
>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> Then any HTTP request matching "/secure_resources/*" will be automatically
> redirected (assuming that an SSL certificate is installed). However, HTTPS
> requests matching "/non_secure_resources/*"
> (i.e. "https://non_secure_resources/non-secure.jsp) are not redirected
back to
> HTTP as I would expect from the first security constraint. The problem
that I'm
> currently having is that some JSP pages under "/secure_resources" have
links
> pointing to pages within the non-secure portion of the Website,
> i.e. "/secure_resources/secure.jsp" contains a link "<a
> href="/non_secure_resources/non-secure.jsp">). (Also, please notice that
these
> links doesn't explicitly specify the protocol, i.e. "http://" because I
don't
> want to hardcode the whole URL (some links are relative)). Considering
this,
> when such a link is followed the protocol (HTTPS) is not changed back to
HTTP.
> Does anyone know if there is a solution to this other than using absolute
URLs
> with the HTTP protocol hardcoded in them?
AFAIK, using absolute URLs is the only supported way to go. However, it
would be easy enough to write a Filter that does the redirect for you:
public class MyFilter implements Filter {
public void init(FilterConfig conf) {}
public void destroy() {}
public void doFilter(ServletRequest req, ServletResponse res, FilterChain
chain)
throws ServletException,IOException {
if( req.isSecure() && res instanceof HttpServletResponse ) {
HttpServletReqest hreq = (HttpServletRequest)req;
StringBuffer nReq = new StringBuffer();
nReq.append("http:/").append(hreq.getRequestURI());
if(hreq.getQueryString() != null) {
nReq.append('?').append(hreq.getQueryString());
}
((HttpServletResponse)res).sendRedirect(nReq.toString());
} else {
chain.doFilter(req, res);
}
}
}
>
> Thanks,
> Lukasz Szelag
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>