You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by wmueller <wm...@trash-mail.com> on 2008/08/29 15:11:18 UTC

secure parts of a web application with https

Hello Everybody,

I have a small web application. Some pages are free to visit for everyone
but some other are only available after login (username/password). I try to
make the login page and all other pages after the login to use https.

you can think of a application structure like this:

/public/page.xhtml
/private/login.xhtml
/private/morepage.xhtml

while all pages under /public use http and all pages under private should
only accessible with https

But I have no Idea how to achieve this. 

By the way I use JSF and Tomcat 6
-- 
View this message in context: http://www.nabble.com/secure-parts-of-a-web-application-with-https-tp19219602p19219602.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: secure parts of a web application with https

Posted by Juha Laiho <Ju...@iki.fi>.

wmueller wrote:
> I have a small web application. Some pages are free to visit for everyone
> but some other are only available after login (username/password). I try to
> make the login page and all other pages after the login to use https.
> 
> you can think of a application structure like this:
> 
> /public/page.xhtml
> /private/login.xhtml
> /private/morepage.xhtml
> 
> while all pages under /public use http and all pages under private should
> only accessible with https

You should create a security constraint for the /private branch of the pages
in the web.xml file of your application. The following frangment should be
rather close to what you're looking for (/private/* require that user is
authenticated and are only available through a protected connection).

<security-constraint>
  <web-resource-collection>
    <url-pattern>/private/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>*</role-name>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

On top of that, you'll naturally need to set up Tomcat so that it also
accepts https connections.
-- 
..Juha

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: secure parts of a web application with https

Posted by Mikolaj Rydzewski <mi...@ceti.pl>.

wmueller wrote:
> Hello Everybody,
>
> I have a small web application. Some pages are free to visit for everyone
> but some other are only available after login (username/password). I try to
> make the login page and all other pages after the login to use https.
>   
http://edocs.bea.com/wls/docs61/webapp/web_xml.html#1021230

-- 
Mikolaj Rydzewski <mi...@ceti.pl>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org