You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by alla winter <al...@gmail.com> on 2007/10/22 21:48:52 UTC

How can I ensure that client access servlets via HTTPS?

I would appreciate if you give me a suggestion how to enforce clients to
access servlet  through  SSL for TOMCAT 5.2.25 and JDK 1.5.0_12.  ( The
TOMCAT is set up for SSL with APR 1.9 and I can access it via HTTPS)



I was thinking that I can accomplish that with the following:

<security-constraint>

            <web-resource-collection>

            <web-resource-name>view dept data</web-resource-name>


<url-pattern>/cobra_source/servlet/servlet/com.cobrasource.servlets.InitiatorServlet</url-pattern>

            <http-method>GET</http-method>

            <http-method>POST</http-method>

            </web-resource-collection>



            <user-data-constraint>

        <transport-guarantee>CONFIDENTIAL</transport-guarantee>

            </user-data-constraint>

</security-constraint>





However, it doesn't make any difference and I can access this servlet via
HTTP .

Could that be that I do not have user role?  But I have a different method
for authentication that is conducted outside of TOMCAT.



Am I missing something or there is something else that I can do ?



Thanks for your help

Fwd: How can I ensure that client access servlets via HTTPS?

Posted by alla winter <al...@gmail.com>.
I would appreciate if you answer the question bellow
thanks

---------- Forwarded message ----------
From: alla winter <al...@gmail.com>
Date: Oct 22, 2007 2:48 PM
Subject: How can I ensure that client access servlets via HTTPS?
To: users@tomcat.apache.org



I would appreciate if you give me a suggestion how to enforce clients to
access servlet  through   SSL for TOMCAT 5.2.25 and JDK 1.5.0_12.  ( The
TOMCAT is set up for SSL with APR 1.9 and I can access it via HTTPS)



I was thinking that I can accomplish that with the following:

<security-constraint>

            <web-resource-collection>

            <web-resource-name>view dept data</web-resource-name>

            <url-pattern>/cobra_source/servlet/servlet/com.cobrasource.servlets.InitiatorServlet</url-pattern>


            <http-method>GET</http-method>

            <http-method>POST</http-method>

            </web-resource-collection>



            <user-data-constraint>

        <transport-guarantee>CONFIDENTIAL</transport-guarantee>

            </user-data-constraint>

</security-constraint>





However, it doesn't make any difference and I can access this servlet via
HTTP .

Could that be that I do not have user role?  But I have a different method
for authentication that is conducted outside of TOMCAT.



Am I missing something or there is something else that I can do ?



Thanks for your help