Selecting which pages to use SSL with

["Cook, Christopher H (IndSys, GE Interlogix)" <Ch...@ge.com>]

The documentation supplied for tomcat that pertains to the configuration of ssl states -
"indeed a developer can pick and choose which pages require a secure connection and which do not. For a reasonably busy site, it is customary to only run certain pages under SSL, namely those pages where sensitive information could possibly be exchanged. ...  Any pages which absolutely require a secure connection should check the protocol type associated with the page request and take the appropriate action of https is not specified."

I have SSL set up in my application currently, so that any page I request can either use https or http.  How do restrict access to some pages using http, while allowing others to use it?  Basically how do I implement the scenario's described in the above passage?  Or where is there documentation on this?

Thanks,

Chris

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Selecting which pages to use SSL with

[Alexander Wallace <aw...@rwsoft-online.com>]

I've gone through your same questions lately, and still learnning, but here is 
what i've learned from the list and other places.

*Once you start using https, you should NOT switch back to http, doing so will 
allow whomever to sniff the session id  and put in risk whatever you thought 
you secured with https. So, if during a session, a user goes to https, you 
should not switch back to http just becouse the next page does not need to be 
secured, at this point it is not the page, but the session, that needs to be 
secure.

*There are noumerous ways to know if you are running https and also to switch 
to https if you were not.

I use a filter to look at what port and protocol is being requested, and 
switch to https if necesary. The method used varies if you use apache + 
tomcat or tomcat stand alone. This becouse when using apache, apache talks to 
tomcat always in http, it takes charge of all comunication being secure with 
the client, but it tell's you the user requested a secure session by 
appending the secure port number to the url requested. If tomcat is being 
used stand alone, you can check what protoclo was requested and other stuff 
using httpRequest's getScheme() getProtocol() getServerPort() and stuff like 
that.

If a servlet or jsp needs to know if secure session was requested, you can use 
the isSecure() method of the request.

There is also a way to force tomcat to ensure secure scheme is being used, byt 
adding something like the following to your web.xml

    <security-constraint>
    <web-resource-collection>
      <web-resource-name>SSL-Only Portion Of This Webapp</web-resource-name>
      <url-pattern>/secure/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

And you can also make apache not serve anything but whatever uri prefix you 
specify so it won't serve something if it begins with /secure, which you can 
use as the prefix for any jsp or servlet you want to make sure run only in a 
secure way.

I hope all this helps!




On Tuesday 17 December 2002 14:43, Cook, Christopher H (IndSys, GE Interlogix) 
wrote:
> The documentation supplied for tomcat that pertains to the configuration of
> ssl states - "indeed a developer can pick and choose which pages require a
> secure connection and which do not. For a reasonably busy site, it is
> customary to only run certain pages under SSL, namely those pages where
> sensitive information could possibly be exchanged. ...  Any pages which
> absolutely require a secure connection should check the protocol type
> associated with the page request and take the appropriate action of https
> is not specified."
>
> I have SSL set up in my application currently, so that any page I request
> can either use https or http.  How do restrict access to some pages using
> http, while allowing others to use it?  Basically how do I implement the
> scenario's described in the above passage?  Or where is there documentation
> on this?
>
> Thanks,
>
> Chris
>
> --
> To unsubscribe, e-mail:  
> <ma...@jakarta.apache.org> For additional
> commands, e-mail: <ma...@jakarta.apache.org>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Selecting which pages to use SSL with

[Patrick GIRY <pa...@free.fr>]

En réponse à "Cook, Christopher H (IndSys, GE Interlogix)" <Ch...@ge.com>:

You must create two host, one for the http request, the second for the https
request. You can link them to 2 virtual hosts on apache if you use it with tomcat.

> The documentation supplied for tomcat that pertains to the configuration
> of ssl states -
> "indeed a developer can pick and choose which pages require a secure
> connection and which do not. For a reasonably busy site, it is customary
> to only run certain pages under SSL, namely those pages where sensitive
> information could possibly be exchanged. ...  Any pages which absolutely
> require a secure connection should check the protocol type associated
> with the page request and take the appropriate action of https is not
> specified."
> 
> I have SSL set up in my application currently, so that any page I
> request can either use https or http.  How do restrict access to some
> pages using http, while allowing others to use it?  Basically how do I
> implement the scenario's described in the above passage?  Or where is
> there documentation on this?
> 
> Thanks,
> 
> Chris
> 
> --
> To unsubscribe, e-mail:  
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> 
> 



Patrick GIRY

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>