You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Jan Strauch <wa...@web.de> on 2007/01/06 00:18:02 UTC

yet another SSL question

Hello world!

My problem :

I want some of my servlets to be accessible only when HTTPS is used:
    https:/<path to servlet> succeeds
    http:/<path to servlet> gives an error

The first step seems to work, but when i have logged in into the secure area,
load a page using https, delete the "s" and reload, the page is also loaded.

How do i block the unsecured reload?

I tried some of the hints for JSPs, but they seem not to work with servlets.

My web.xml:

<web-app>
        <servlet>
                <servlet-name>myServlet</servlet-name>
                <servlet-class>myServlet</servlet-class>
        </servlet>
            ... more servlets...
        <servlet-mapping>
                <servlet-name>myServlet</servlet-name>
                <url-pattern>path to myServlet</url-pattern>
        </servlet-mapping>
        ... more servlets...
</web-app>

What security-constraints do i need, and where do i have to put them?

Thank you

Re: yet another SSL question

Posted by Martin Gainty <mg...@hotmail.com>.

LambdaProbe has all of the state information which I have been seeking for years
To one and all please look at http://lambdaprobe.org and view Cluster, Status, System Information as well as a plethora of categories too numerous
to list here..I am heartened by threads/ClassLoader metrics availability

Thanks Chuck

Martin --
--------------------------------------------------------------------------- 
This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary , confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited.
--------------------------------------------------------------------------- 
Le présent message électronique (y compris les pièces qui y sont annexées, le cas échéant) s'adresse au destinataire indiqué et peut contenir des renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le destinataire de ce document, nous vous signalons qu'il est strictement interdit de le diffuser, de le distribuer ou de le reproduire.
----- Original Message ----- 
From: "Caldarale, Charles R" <Ch...@unisys.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Sunday, January 14, 2007 10:50 AM
Subject: RE: yet another SSL question


> From: waynel@web.de [mailto:waynel@web.de] 
> Subject: Re: yet another SSL question
> 
> Is it possible to have multiple different Login pages in one webapp?

Yes; look at section 12.8 of the Servlet spec:
http://jcp.org/aboutJava/communityprocess/final/jsr154/index.html

Use different <url-pattern> settings for each area of the webapp that
you want to control.

For a real-world example of using multiple security constraints in one
web app, look inside Lambda Probe's WEB-INF/web.xml file (download from
http://lambdaprobe.org).

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: yet another SSL question

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: waynel@web.de [mailto:waynel@web.de] 
> Subject: Re: yet another SSL question
> 
> Is it possible to have multiple different Login pages in one webapp?

Yes; look at section 12.8 of the Servlet spec:
http://jcp.org/aboutJava/communityprocess/final/jsr154/index.html

Use different <url-pattern> settings for each area of the webapp that
you want to control.

For a real-world example of using multiple security constraints in one
web app, look inside Lambda Probe's WEB-INF/web.xml file (download from
http://lambdaprobe.org).

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: yet another SSL question

Posted by Jan Strauch <wa...@web.de>.

first, thanks for your help.

But now I got the next problem:

Is it possible to have multiple different Login pages in one webapp?

Scenario:

- Two areas (DB,shop) in one webapp
- two groups of users having access to one of the areas.
- one member of both groups.

When I am logged in to the DB-section and call a page in the shop-section I
get a
"permission denied" error.

How do I manage to have a new login-window to get access to the other
section?
"auth-method" in web.xml is "BASIC". I tried "FORM"-based login  with a
re-login as errorpage ,
but did not get it to work.
Is there a better way than a third usergroup with access to both sections?
Can I invoke an automatic logoff when a page outside the current section is
called, so I can force a new login
to the entered section?
Is there any way to log out?
Is it possible with Basic-method to have different logins depending on which
page is called?



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: yet another SSL question

Posted by Dhaval Patel <dh...@yahoo.com>.

Try this:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Secure servlet</web-resource-name>
            <url-pattern>/path/to/servlet/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

Regards,
D

--- Jan Strauch <wa...@web.de> wrote:

> Hello world!
> 
> My problem :
> 
> I want some of my servlets to be accessible only when HTTPS is used:
>     https:/<path to servlet> succeeds
>     http:/<path to servlet> gives an error
> 
> The first step seems to work, but when i have logged in into the secure area,
> load a page using https, delete the "s" and reload, the page is also loaded.
> 
> How do i block the unsecured reload?
> 
> I tried some of the hints for JSPs, but they seem not to work with servlets.
> 
> My web.xml:
> 
> <web-app>
>         <servlet>
>                 <servlet-name>myServlet</servlet-name>
>                 <servlet-class>myServlet</servlet-class>
>         </servlet>
>             ... more servlets...
>         <servlet-mapping>
>                 <servlet-name>myServlet</servlet-name>
>                 <url-pattern>path to myServlet</url-pattern>
>         </servlet-mapping>
>         ... more servlets...
> </web-app>
> 
> What security-constraints do i need, and where do i have to put them?
> 
> Thank you 
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: yet another SSL question

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: waynel@web.de [mailto:waynel@web.de] 
> Subject: yet another SSL question
> 
> What security-constraints do i need, and where do i have to put them?

The basis for Dhaval's suggestion is section 12 of the servlet spec,
obtainable here:
http://jcp.org/aboutJava/communityprocess/final/jsr154/index.html

For additional examples, look at the WEB-INF/web.xml files for Tomcat's
built-in manager and admin apps, usually installed under the
server/webapps directory, although as delivered, those do not require
HTTPS.  The <transport-guarantee> is necessary to force that.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org