You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by neal <ne...@yahoo.com> on 2003/01/16 23:09:08 UTC

Require a secure connection

Does anyone know how to *require* that a page be accessed only via a secure
connection?

For instance, I *can* request a secure connection to a page by going to
"https://" and the url ... but how do I prevent a user from going to
"http://" to request that same page?

Would this be a proxy thing or is something I can set in Tomcat?  Is there
something that wouldn't require the overhead of reflecting upon every single
request at the Java level?

Thanks.
neal


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Require a secure connection

Posted by shawn <ja...@koyuru.com>.
According to
http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security5.html another
way would be to specify it in web.xml. 

... 

If you specify CONFIDENTIAL or INTEGRAL as a security constraint, that
type of security constraint applies to all requests that match the URL
patterns in the Web resource collection, not just to the login dialog.

 Specify CONFIDENTIAL when the application requires that data be
transmitted so as to prevent other entities from observing the contents
of the transmission. Specify INTEGRAL when the application requires that
the data be sent between client and server in such a way that it cannot
be changed in transit. The following example code from a web.xml file
shows this setting in context:

        <!-- SECURITY CONSTRAINT -->
          <security-constraint>
            <web-resource-collection>
              <web-resource-name>WRCollection</web-resource-name>
              <url-pattern>/index.jsp</url-pattern>
              <http-method>GET</http-method>
            </web-resource-collection>
            <auth-constraint>
              <role-name>user</role-name>
            </auth-constraint>
            <user-data-constraint>
              <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
        
        Shawn


On Fri, 2003-01-17 at 07:09, neal wrote:
> Does anyone know how to *require* that a page be accessed only via a secure
> connection?
> 
> For instance, I *can* request a secure connection to a page by going to
> "https://" and the url ... but how do I prevent a user from going to
> "http://" to request that same page?
> 
> Would this be a proxy thing or is something I can set in Tomcat?  Is there
> something that wouldn't require the overhead of reflecting upon every single
> request at the Java level?
> 
> Thanks.
> neal
> 
> 
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
-- 
shawn <ja...@koyuru.com>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Require a secure connection

Posted by Tim Funk <fu...@joedog.org>.
This should be it ...
http://marc.theaimsgroup.com/?l=tomcat-user&m=99616711404780&w=2

-Tim

neal wrote:
> Does anyone know how to *require* that a page be accessed only via a secure
> connection?
> 
> For instance, I *can* request a secure connection to a page by going to
> "https://" and the url ... but how do I prevent a user from going to
> "http://" to request that same page?
> 
> Would this be a proxy thing or is something I can set in Tomcat?  Is there
> something that wouldn't require the overhead of reflecting upon every single
> request at the Java level?
> 
> Thanks.
> neal
> 
> 
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
> 
> 


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Require a secure connection

Posted by Jon Eaves <jo...@eaves.org>.
Hi Neal,

   <security-constraint>
       <display-name>Web Booking</display-name>
       <web-resource-collection>
           <web-resource-name>Web Booking
           </web-resource-name>
           <url-pattern>/web/*</url-pattern>
           <http-method>GET</http-method>
           <http-method>POST</http-method>
       </web-resource-collection>
       <user-data-constraint>
           <transport-guarantee>
               CONFIDENTIAL
           </transport-guarantee>
       </user-data-constraint>
   </security-constraint>

Will do what you want. This will switch the transport to HTTPS.
You can also check programatically using "request.isSecure()"
in the servlet to make sure the administrator has installed
your application and SSL correctly.


neal wrote:
> Does anyone know how to *require* that a page be accessed only via a secure
> connection?
> 
> For instance, I *can* request a secure connection to a page by going to
> "https://" and the url ... but how do I prevent a user from going to
> "http://" to request that same page?
> 
> Would this be a proxy thing or is something I can set in Tomcat?  Is there
> something that wouldn't require the overhead of reflecting upon every single
> request at the Java level?
> 
> Thanks.
> neal
> 
> 
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
> 

-- 
Jon Eaves <jo...@eaves.org>
http://www.eaves.org/jon/


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Require a secure connection

Posted by mwm <to...@ward-murphy.co.uk>.
There's also a <transport-guarantee> element for web.xml that's supposed to
be handy for doing this declaratively.

Mike.

----- Original Message -----
From: "Andy Eastham" <an...@gliant.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Thursday, January 16, 2003 10:29 PM
Subject: RE: Require a secure connection


try:

if (!request.isSecure())
{
// abort code here
}

You can put this in a superclass of all your secure servlets if you like.

Andy

> -----Original Message-----
> From: neal [mailto:nealcabage@yahoo.com]
> Sent: 16 January 2003 22:09
> To: Tomcat Users List
> Subject: Require a secure connection
>
>
> Does anyone know how to *require* that a page be accessed only
> via a secure
> connection?
>
> For instance, I *can* request a secure connection to a page by going to
> "https://" and the url ... but how do I prevent a user from going to
> "http://" to request that same page?
>
> Would this be a proxy thing or is something I can set in Tomcat?  Is there
> something that wouldn't require the overhead of reflecting upon
> every single
> request at the Java level?
>
> Thanks.
> neal
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
>



--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>




--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: Require a secure connection

Posted by Andy Eastham <an...@gliant.com>.
try:

if (!request.isSecure())
{
	// abort code here
}

You can put this in a superclass of all your secure servlets if you like.

Andy

> -----Original Message-----
> From: neal [mailto:nealcabage@yahoo.com]
> Sent: 16 January 2003 22:09
> To: Tomcat Users List
> Subject: Require a secure connection
>
>
> Does anyone know how to *require* that a page be accessed only
> via a secure
> connection?
>
> For instance, I *can* request a secure connection to a page by going to
> "https://" and the url ... but how do I prevent a user from going to
> "http://" to request that same page?
>
> Would this be a proxy thing or is something I can set in Tomcat?  Is there
> something that wouldn't require the overhead of reflecting upon
> every single
> request at the Java level?
>
> Thanks.
> neal
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
>



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Require a secure connection

Posted by Milt Epstein <me...@uiuc.edu>.
On Thu, 16 Jan 2003, neal wrote:

> Does anyone know how to *require* that a page be accessed only via a
> secure connection?
>
> For instance, I *can* request a secure connection to a page by going
> to "https://" and the url ... but how do I prevent a user from going
> to "http://" to request that same page?
>
> Would this be a proxy thing or is something I can set in Tomcat?  Is
> there something that wouldn't require the overhead of reflecting
> upon every single request at the Java level?
>
> Thanks.
> neal

I think if you're using Tomcat standalone, the <security-constraint>
technique that others have mentioned is the way to go.  But if you're
using Tomcat behind Apache, you should be able to control this by
controlling what resources are available to each "instance" of the
server (with http being one instance and https being another).  For
example, you can set them up as separate virtual hosts, and then
control what resources are accessible within each virtual host.  Works
for us.

Milt Epstein
Research Programmer
Integration and Software Engineering (ISE)
Campus Information Technologies and Educational Services (CITES)
University of Illinois at Urbana-Champaign (UIUC)
mepstein@uiuc.edu


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>