You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Lyallex <ly...@gmail.com> on 2007/07/03 10:53:03 UTC

Re: Old Chestnut (http - https) causing some confusion

Hi

Just a short note to say thanks to those that replied to my post

I've spent the past three days trying to figure out the best approach given
all the options available and I have something working. It's doesn't work
quite how I'd like, the main problem being that when I get a
RequestDispatcher in a Servlet and forward to a resource that has a mapping
to a Filter the Filter doesn't fire. I think I understand why (forwarding
passes the request and response to another resource, it's not like making a
request) but it doesn't really help me. Still, like someone said, it's all a
matter of tradeoffs.

Regards
Duncan



On 6/29/07, Lyallex <ly...@gmail.com> wrote:
>
> Hi
>
> Java 1.5.0_10
> Tomcat 5.5.17
>
> I've just spent the past couple of hours reading past postings to this
> list at marc.info
>
> The subject I'm interested in is the efficient use of ssl/https.
> I have managed to get the 'redirection' to https working with the
> following
> entry in web.xml (amongst other config type things)
>
>   <security-constraint>
>    ...
>     <user-data-constraint>
>     <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>     </user-data-constraint>
>   </security-constraint>
>
> The problem, as I'm sure you've guessed by now is that once an account is
> logged in
> I want the client to be able to browse the site via http, not https.
>
> I know this issue has been around since at least 2004 (this is as far back
> as I went)
>
> The Tomcat Docs at http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.htmlstate
>
> <quote>
>
> "... Also, while the SSL protocol was designed to be as efficient as
> securely possible,
> encryption/decryption is a computationally expensive process from a
> performance standpoint.
> It is not strictly necessary to run an entire web application over SSL,
> and indeed a developer
> can pick and choose which pages require a secure connection and which do
> not..."
>
> </quote>
>
> Marvelous... thing is I've seen various solutions suggested from fronting
> Tomcat with Apache httpd and
> using something called modRedirect to writing some sort of filter. Have
> the experts come to some sort of conclusion
> as to the best way to 'pick and choose which pages require a secure
> connection...'  given the various security issues that seem to be of concern
> etc.
>
> Many thanks for reading this, I'm sure you're all bored to tears by this
> subject now.
>
> Rgds
> Duncan