You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by yo...@darkmag.net on 2003/05/22 14:31:13 UTC
Non-SSL auto redirection in web.xml ?
Hail,
i'm currently tryin' to set up a SSL connection for a part of my webapp
(ie : a subdir). Thus, i defined a SSL connector in the server.xml,
actually port 8443 (default value) and port 80 for the non-SSL connector.
When i'm connecting to this subdir, i'm perfectly redirected to the SSL
port, as my security constraints are defined as followed :
<security-constraint>
<web-resource-collection>
<web-resource-name>test</web-resource-name>
<url-pattern>/jsp/index.jsp</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>test2</web-resource-name>
<url-pattern>/jsp/subdir/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<user-data-constraint>
<description>SSL required</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
But when i'm leaving this subdir and returning to the "home page" of the
webapp, i'd like to be automatically redirected to the non SSL port.
That's why i defined a security constraint for my index.jsp, but it
doesn't work.
I Also tried to set up thoses parameters into my non SSL connector :
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="80" ... secure="false" scheme="http" />
And add a "redirectPort" parameter into my SSL connector :
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8443" ... redirectPort="80">
But it doesn't work either, it seems to be only an "one way" process..
I may redirect manually to the HTTP protocol in the logout process
(response.sendRedirect("http://...")), but i wanted other pages to be
non-available via HTTPS.
So, do you have an idea ? I also may check in jsp/servlets if the request
is secure (and redirect in some cases), but the less i've to modify my
code, the better it will be :)
Thx a lot,
YoGi
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Non-SSL auto redirection in web.xml ?
Posted by Bill Barker <wb...@wilshire.com>.
However, it's a pretty easy Filter. Something like:
doFilter(ServletRequest request, ServletResponse response, FilterChain
chain)
throws IOException, ServletException {
if(request.isSecure() && request instanceof HttpServletRequest) {
HttpServletRequest hrequest = (HttpServletRequest)request;
if( !hrequest.getServletPath().startsWith("/jsp/subdir") ) {
StringBuffer sb = new StringBuffer();
sb.append("http://").append(hrequest.getServerName());
// if(nonstandardport) sb.append(':').append(portnum);
sb.append(hrequest.getRequestURI());
if( hrequest.getQueryString() != null ) {
sb.append('?').append(hrequest.getQueryString());
}
HttpServletResponse hresponse =
(HttpServletResponse)response;
hresponse.sendRedirect(sb.toString());
return;
}
}
chain.doFilter(request, response);
}
"Tim Funk" <fu...@joedog.org> wrote in message
news:3ECCC7A3.2030908@joedog.org...
> Tomcat won't do that for you. The behavior you desire is not part of the
> spec. There is a section describing how you can guarantee secure requests,
> but there is no part guaranteeing requests are insecure.
>
> -Tim
>
> yogi-ml@darkmag.net wrote:
> > I just saw someone ask for the same thing this morning at ~5:00 AM
> > (GMT+1), sorry for that (i'm using a webmail, that's not very convenient
> > for search..), but as there's no answer, my question's still up :)
> >
> >
> >>Hail,
> >>
> >>i'm currently tryin' to set up a SSL connection for a part of my webapp
> >>(ie : a subdir). Thus, i defined a SSL connector in the server.xml,
> >>actually port 8443 (default value) and port 80 for the non-SSL
connector.
> >>
> >>When i'm connecting to this subdir, i'm perfectly redirected to the SSL
> >>port, as my security constraints are defined as followed :
> >>
> >><security-constraint>
> >> <web-resource-collection>
> >> <web-resource-name>test</web-resource-name>
> >> <url-pattern>/jsp/index.jsp</url-pattern>
> >> <http-method>POST</http-method>
> >> <http-method>GET</http-method>
> >> </web-resource-collection>
> >>
> >> <user-data-constraint>
> >> <description>SSL not required</description>
> >> <transport-guarantee>NONE</transport-guarantee>
> >> </user-data-constraint>
> >></security-constraint>
> >>
> >><security-constraint>
> >> <web-resource-collection>
> >> <web-resource-name>test2</web-resource-name>
> >> <url-pattern>/jsp/subdir/*</url-pattern>
> >> <http-method>POST</http-method>
> >> <http-method>GET</http-method>
> >> </web-resource-collection>
> >>
> >> <user-data-constraint>
> >> <description>SSL required</description>
> >> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> >> </user-data-constraint>
> >></security-constraint>
> >>
> >>But when i'm leaving this subdir and returning to the "home page" of the
> >>webapp, i'd like to be automatically redirected to the non SSL port.
> >>That's why i defined a security constraint for my index.jsp, but it
> >>doesn't work.
> >>
> >>I Also tried to set up thoses parameters into my non SSL connector :
> >>
> >> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> >>port="80" ... secure="false" scheme="http" />
> >>
> >>And add a "redirectPort" parameter into my SSL connector :
> >>
> >> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> >>port="8443" ... redirectPort="80">
> >>
> >>But it doesn't work either, it seems to be only an "one way" process..
> >>
> >>I may redirect manually to the HTTP protocol in the logout process
> >>(response.sendRedirect("http://...")), but i wanted other pages to be
> >>non-available via HTTPS.
> >>
> >>So, do you have an idea ? I also may check in jsp/servlets if the
request
> >>is secure (and redirect in some cases), but the less i've to modify my
> >>code, the better it will be :)
> >>
> >>Thx a lot,
> >>
> >>YoGi
> >>
> >>
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >>
> >>
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Non-SSL auto redirection in web.xml ?
Posted by Tim Funk <fu...@joedog.org>.
Tomcat won't do that for you. The behavior you desire is not part of the
spec. There is a section describing how you can guarantee secure requests,
but there is no part guaranteeing requests are insecure.
-Tim
yogi-ml@darkmag.net wrote:
> I just saw someone ask for the same thing this morning at ~5:00 AM
> (GMT+1), sorry for that (i'm using a webmail, that's not very convenient
> for search..), but as there's no answer, my question's still up :)
>
>
>>Hail,
>>
>>i'm currently tryin' to set up a SSL connection for a part of my webapp
>>(ie : a subdir). Thus, i defined a SSL connector in the server.xml,
>>actually port 8443 (default value) and port 80 for the non-SSL connector.
>>
>>When i'm connecting to this subdir, i'm perfectly redirected to the SSL
>>port, as my security constraints are defined as followed :
>>
>><security-constraint>
>> <web-resource-collection>
>> <web-resource-name>test</web-resource-name>
>> <url-pattern>/jsp/index.jsp</url-pattern>
>> <http-method>POST</http-method>
>> <http-method>GET</http-method>
>> </web-resource-collection>
>>
>> <user-data-constraint>
>> <description>SSL not required</description>
>> <transport-guarantee>NONE</transport-guarantee>
>> </user-data-constraint>
>></security-constraint>
>>
>><security-constraint>
>> <web-resource-collection>
>> <web-resource-name>test2</web-resource-name>
>> <url-pattern>/jsp/subdir/*</url-pattern>
>> <http-method>POST</http-method>
>> <http-method>GET</http-method>
>> </web-resource-collection>
>>
>> <user-data-constraint>
>> <description>SSL required</description>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint>
>></security-constraint>
>>
>>But when i'm leaving this subdir and returning to the "home page" of the
>>webapp, i'd like to be automatically redirected to the non SSL port.
>>That's why i defined a security constraint for my index.jsp, but it
>>doesn't work.
>>
>>I Also tried to set up thoses parameters into my non SSL connector :
>>
>> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
>>port="80" ... secure="false" scheme="http" />
>>
>>And add a "redirectPort" parameter into my SSL connector :
>>
>> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
>>port="8443" ... redirectPort="80">
>>
>>But it doesn't work either, it seems to be only an "one way" process..
>>
>>I may redirect manually to the HTTP protocol in the logout process
>>(response.sendRedirect("http://...")), but i wanted other pages to be
>>non-available via HTTPS.
>>
>>So, do you have an idea ? I also may check in jsp/servlets if the request
>>is secure (and redirect in some cases), but the less i've to modify my
>>code, the better it will be :)
>>
>>Thx a lot,
>>
>>YoGi
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Non-SSL auto redirection in web.xml ?
Posted by yo...@darkmag.net.
I just saw someone ask for the same thing this morning at ~5:00 AM
(GMT+1), sorry for that (i'm using a webmail, that's not very convenient
for search..), but as there's no answer, my question's still up :)
> Hail,
>
> i'm currently tryin' to set up a SSL connection for a part of my webapp
> (ie : a subdir). Thus, i defined a SSL connector in the server.xml,
> actually port 8443 (default value) and port 80 for the non-SSL connector.
>
> When i'm connecting to this subdir, i'm perfectly redirected to the SSL
> port, as my security constraints are defined as followed :
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>test</web-resource-name>
> <url-pattern>/jsp/index.jsp</url-pattern>
> <http-method>POST</http-method>
> <http-method>GET</http-method>
> </web-resource-collection>
>
> <user-data-constraint>
> <description>SSL not required</description>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>test2</web-resource-name>
> <url-pattern>/jsp/subdir/*</url-pattern>
> <http-method>POST</http-method>
> <http-method>GET</http-method>
> </web-resource-collection>
>
> <user-data-constraint>
> <description>SSL required</description>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> But when i'm leaving this subdir and returning to the "home page" of the
> webapp, i'd like to be automatically redirected to the non SSL port.
> That's why i defined a security constraint for my index.jsp, but it
> doesn't work.
>
> I Also tried to set up thoses parameters into my non SSL connector :
>
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="80" ... secure="false" scheme="http" />
>
> And add a "redirectPort" parameter into my SSL connector :
>
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8443" ... redirectPort="80">
>
> But it doesn't work either, it seems to be only an "one way" process..
>
> I may redirect manually to the HTTP protocol in the logout process
> (response.sendRedirect("http://...")), but i wanted other pages to be
> non-available via HTTPS.
>
> So, do you have an idea ? I also may check in jsp/servlets if the request
> is secure (and redirect in some cases), but the less i've to modify my
> code, the better it will be :)
>
> Thx a lot,
>
> YoGi
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org