You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by wmueller <wm...@trash-mail.com> on 2008/08/29 15:11:18 UTC
secure parts of a web application with https
Hello Everybody,
I have a small web application. Some pages are free to visit for everyone
but some other are only available after login (username/password). I try to
make the login page and all other pages after the login to use https.
you can think of a application structure like this:
/public/page.xhtml
/private/login.xhtml
/private/morepage.xhtml
while all pages under /public use http and all pages under private should
only accessible with https
But I have no Idea how to achieve this.
By the way I use JSF and Tomcat 6
--
View this message in context: http://www.nabble.com/secure-parts-of-a-web-application-with-https-tp19219602p19219602.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: secure parts of a web application with https
Posted by Juha Laiho <Ju...@iki.fi>.
wmueller wrote:
> I have a small web application. Some pages are free to visit for everyone
> but some other are only available after login (username/password). I try to
> make the login page and all other pages after the login to use https.
>
> you can think of a application structure like this:
>
> /public/page.xhtml
> /private/login.xhtml
> /private/morepage.xhtml
>
> while all pages under /public use http and all pages under private should
> only accessible with https
You should create a security constraint for the /private branch of the pages
in the web.xml file of your application. The following frangment should be
rather close to what you're looking for (/private/* require that user is
authenticated and are only available through a protected connection).
<security-constraint>
<web-resource-collection>
<url-pattern>/private/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
On top of that, you'll naturally need to set up Tomcat so that it also
accepts https connections.
--
..Juha
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: secure parts of a web application with https
Posted by Mikolaj Rydzewski <mi...@ceti.pl>.
wmueller wrote:
> Hello Everybody,
>
> I have a small web application. Some pages are free to visit for everyone
> but some other are only available after login (username/password). I try to
> make the login page and all other pages after the login to use https.
>
http://edocs.bea.com/wls/docs61/webapp/web_xml.html#1021230
--
Mikolaj Rydzewski <mi...@ceti.pl>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org