Kent,
On 12/14/23 09:13, ResSoft wrote:
I am currently forcing my app to use https. Here is what I have in my
app web.xml file and it works as intended
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I also now want to restrict the browser from pulling up files in certain =
directories. Search the web I see to use the following=20
<security-constraint>
<web-resource-collection>
=
I hope this is just a stray = added by your email program. If it's not,
please remove it.
<web-resource-name>HTTP-Protected-Resource-1</web-resource-name>
<description>Description here</description>
<url-pattern >/path to directory/path to =
directory/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
What about HEAD requests? Or PUT? Or maybe FOO?
Don't forget that any client can try any HTTP method verb. It doesn't
have to make any sense, and most code assumes GET unless it's looking
for something else.
</web-resource-collection>
<auth-constraint/>
</security-constraint>
These both work independently of each other. What I can't
figure out is how to make them work together. When I try that, all
files are forbidden as it appears the <url-pattern>/*</url-pattern>
locks everything down. But without it, I cannot get tomcat to force
http to https.
Have you set a redirectPort in your HTTP <Connector>?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
