You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by t....@iflexsolutions.com on 2002/05/07 13:08:38 UTC

RE: TOMCAT & SSL !!!

Hi Steve,	

               I had included the security constraint in web.xml, but still
the request goes thru without ssl. what mistake am i making?

what is the <login-config>? do i have to include that too.....
i was also not clear abt the "redirectPort" bit - where cud i get
more help?

thanx,
Ritesh


-----Original Message-----
From: Steve D George [mailto:steve_george@uk.ibm.com]
Sent: Tuesday, April 30, 2002 3:48 PM
To: Tomcat Users List
Subject: Re: TOMCAT & SSL !!!



Hi, have a look for postings titled 'How to enforce SSL' that were posted
over the last few days. Assuming you have gone through the How-to-SSL
document in the tomcat docs and set up a certificate, to enforce SSL for a
certain directory in your context, you need something like this in your
web.xml.

<!-- Define a Security Constraint on this Application -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Entire Application</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>trackeruser</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <!-- Define the Login Configuration for this Application -->
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Location Tracker Application</realm-name>
  </login-config>

The important piece is the user-data-constraint and the
transport-guarantee. This tells tomcat that all requests to the url pattern
(in my case it is the whole of my context) should be sent over HTTPS. If a
request is received over HTTP, tomcat will redirect the request at whatever
port is defined in server.xml as the 'redirectPort' for the HTTP connector.
This is probably 8443. You then need to make sure that you have an SSL only
connector on that port but I guess you should already have that if you've
got the SSL working already.

Cheers.

Steve.



 

                      t.riteshmenon@iflexso

                      lutions.com                  To:
tomcat-user@jakarta.apache.org                                
                                                   cc:

                      30/04/2002 11:10             Subject:  TOMCAT & SSL
!!!                                              
                      Please respond to

                      "Tomcat Users List"

 

 





Hi All,

My application requires that certain pages on the site are accessed via
SSL,
is
there a way in tomcat to reject the connection of http to a specific page
(ie securePage.jsp) but still allow http access to other pages (ie.
standardPage.jsp).

Also i'm using cookies - so i wanted to know whether these cookies will
be visible in both the http & https contexts.

Thanks in advance,

Ritesh
----------------------------------------------------------------------------

This message contains privileged and confidential information and is
intended only for the individual named.If you are not the intended
recipient
you should not disseminate,distribute,store,print, copy or deliver this
message.Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.E-mail
transmission cannot be guaranteed to be secure or error-free as information
could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or
contain viruses.The sender therefore does not accept liability for any
errors or omissions in the contents of this message which arise as a result
of e-mail transmission. If verification is required please request a
hard-copy version.
----------------------------------------------------------------------------


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>





--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
----------------------------------------------------------------------------
This message contains privileged and confidential information and is
intended only for the individual named.If you are not the intended recipient
you should not disseminate,distribute,store,print, copy or deliver this
message.Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.E-mail
transmission cannot be guaranteed to be secure or error-free as information
could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or
contain viruses.The sender therefore does not accept liability for any
errors or omissions in the contents of this message which arise as a result
of e-mail transmission. If verification is required please request a
hard-copy version.
----------------------------------------------------------------------------

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>