transport guarantee in server.xml?

[Ossie Guy <os...@hotmail.com>]

In our server.xml (Tomcat 4.1), we have a context that is used to serve up 
static content (PDFs) that are collected in a directory on our server:

<Context path="/pdf" appBase="" docBase="/path/to/pdfs" 
reloadable="true"></Context>

There is no war or other webapp involved here, just the folder with the 
static files, and thus no web.xml either... (Don't worry, we are making much 
use of the servlet API elsewhere on the same server ;)

Now, we want to serve these files up through SSL - we have the SSL Connector 
configured correctly, everything's just great, BUT a savvy user can still 
get the files through non-SSL by changing the URL. So - is there any way to 
*enforce* that this context is accessed only through SSL?

I have seen documentation suggesting something like the following:

<user-data-constraint transport-guarantee="CONFIDENTIAL"/>

But this goes in web.xml, and again, we have none here - do we need to make 
one just to enforce this constraint? Or is there some way to enforce this 
from within the server.xml file itself, perhaps within the above <context> 
section?

Any help would be appreciated.

Cheers,
Ossie

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: transport guarantee in server.xml?

["Robert r. Sanders" <ro...@ipov.net>]

I'm not am expert, but I don't know of any way other than creating a 
stub web.xml file - it shouldn't have to be much, but I think you're 
going to need it.  Although an alternative would be to have a <Service 
..> element in the server.xml file that has ONLY the SSL 
<Connector.../>, but that seems like even more overkill to me.

Ossie Guy wrote:

>
> In our server.xml (Tomcat 4.1), we have a context that is used to 
> serve up static content (PDFs) that are collected in a directory on 
> our server:
>
> <Context path="/pdf" appBase="" docBase="/path/to/pdfs" 
> reloadable="true"></Context>
>
> There is no war or other webapp involved here, just the folder with 
> the static files, and thus no web.xml either... (Don't worry, we are 
> making much use of the servlet API elsewhere on the same server ;)
>
> Now, we want to serve these files up through SSL - we have the SSL 
> Connector configured correctly, everything's just great, BUT a savvy 
> user can still get the files through non-SSL by changing the URL. So - 
> is there any way to *enforce* that this context is accessed only 
> through SSL?
>
> I have seen documentation suggesting something like the following:
>
> <user-data-constraint transport-guarantee="CONFIDENTIAL"/>
>
> But this goes in web.xml, and again, we have none here - do we need to 
> make one just to enforce this constraint? Or is there some way to 
> enforce this from within the server.xml file itself, perhaps within 
> the above <context> section?
>
> Any help would be appreciated.
>
> Cheers,
> Ossie
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's 
> FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>

-- 
    Robert r. Sanders
    Chief Technologist
    iPOV
    (334) 821-5412
    www.ipov.net


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org