Re: How do I redirect all tomcat ports to use SSL?
This is an example security-constraint web-resource-collection web-resource-namesecurePages/web-resource-name url-pattern/index.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-name*/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint Fabian http://www.manentiasoftware.com Donny R Rota wrote: Thanks, I use security-constraints now, and I've been looking for this answer for weeks. I've not found that option available. Can you send me an URL to this? In the mean time, I'm going to see if I can find that option in my other sources. thanks! ...Don... -- Don Rota, CTG Operations Rational Software, IBM Software Group 20 Maguire Road, Lexington, MA 02421-3104 Tel: 781 676 2655, Fax: 781 676 7645 [EMAIL PROTECTED] Fabian Pena [EMAIL PROTECTED] 05/04/2005 04:51 PM Please respond to Tomcat Users List To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: How do I redirect all tomcat ports to use SSL? In a web application, you can edit your web.xml file and add a security-constraint to redirect all application requests to SSL. I Hope this help Fabian Donny R Rota wrote: This weeks puzzler 8^) I want all my Tomcat requests to go through SSL. I setup tomcat, and got port 80 and port 443 (SSL) working. But I cannot redirect port 80 to 443. I keep getting refused: Is there a way in Tomcat to redirect all port 80 requests to SSL(443)? I know you can do it the other way around 8443 - 80. I'm just running standalone Tomcat, no Apache. advTHANKSance! ...Don... -- Don Rota, CTG Operations Rational Software, IBM Software Group 20 Maguire Road, Lexington, MA 02421-3104 Tel: 781 676 2655, Fax: 781 676 7645 [EMAIL PROTECTED] No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.3 - Release Date: 03/05/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.3 - Release Date: 03/05/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Moving from http to https doesnt expire session
Thank Bob. Yes, I think an invalidate and then a request.getSession(true) doesn't work. Do you know if there are some other options, or a tomcat setting to do this? The only solution that i found at this moment, was set a diferent domain name for http and https. As you see, me english is not good. greetings Fabian Bob Feretich wrote: If you start a session under http, Tomcat will maintain the session into https. This is the desired behavior for most users. Most e-commerce sites use shopping cart models and don't switch to https until you want to check out. If the session was changed on the transition, you would lose the shopping cart contents just as it was time to pay. Also, maintaining the session from http to https does not create a security hazard. Tomcat does not permit a session to be maintained across a https to http transition for security reasons. To force a session to expire when moving from http to https... For https pages, at the top of your servlet/jsp, where request is the HttpServletRequest object. Insert... if (!request.isSecure() ) // not needed if page is a secure resource {code to redirect back to the same page under https} // get the browser's cookies Cookie[] cookies = request.getCookies(); if (cookies==null) {code to tell user to enable cookies} // check session HttpSession session = request.getSession(false); if (session!=null) { // Find the JSESSIONID cookie for (int i=0; icookies.length; i++) { if (JSESSIONID.equals(cookies[i].getName() ) ) { if (!cookies[i].getsecure() ) { // invalidate non-secure session session().invalidate(); // see below Note 1. break; } // if cookie[] } // if found cookie } // for i } // if session session = request.getSession(true); Note 1. At this spot in my servlet, I have code to redirect back to the sevlet under https. It shouldn't be required, but I may have suspected that session.invalidate() immediately followed by a request.getSession(true) didn't work. Hope this helps. Bob Feretich Subject: Moving from http to https doesnt expire session From:Fabian Pena [EMAIL PROTECTED] Date:Mon, 02 May 2005 09:54:29 -0300 To:tomcat-user@jakarta.apache.org hi all I have a simple question, at least I think that. I am developing an applicatin that contains confidential information, and I'm having a simple problem. when a user move from http to https de session doesnt expire, the jsessionid is the same. I want generate a new session and of course change de jsessionid in the first https request. Any one can help me. Thanks in advance Fabian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How do I redirect all tomcat ports to use SSL?
In a web application, you can edit your web.xml file and add a security-constraint to redirect all application requests to SSL. I Hope this help Fabian Donny R Rota wrote: This weeks puzzler 8^) I want all my Tomcat requests to go through SSL. I setup tomcat, and got port 80 and port 443 (SSL) working. But I cannot redirect port 80 to 443. I keep getting refused: Is there a way in Tomcat to redirect all port 80 requests to SSL(443)? I know you can do it the other way around 8443 - 80. I'm just running standalone Tomcat, no Apache. advTHANKSance! ...Don... -- Don Rota, CTG Operations Rational Software, IBM Software Group 20 Maguire Road, Lexington, MA 02421-3104 Tel: 781 676 2655, Fax: 781 676 7645 [EMAIL PROTECTED] No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.3 - Release Date: 03/05/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Moving from http to https doesnt expire session
hi all I have a simple question, at least I think that. I am developing an applicatin that contains confidential information, and I'm having a simple problem. when a user move from http to https de session doesnt expire, the jsessionid is the same. I want generate a new session and of course change de jsessionid in the first https request. Any one can help me. Thanks in advance Fabian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security-constraint in web.xml
Your suggestion work perfectly Thank you very much. Fabian Bill Barker wrote: You simply need to have two security-constraints: One looks like below, and the other has url-pattern/*/url-pattern, and doesn't have an auth-constraint. [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I need help to configure a secure application. I'm trying to request a client certificate in one page only (the rest should be accesible without presenting a certificate) and force to use SSL in the entire application. I put the following in the web.xml security-constraint web-resource-collection web-resource-namecertificates/web-resource-name url-pattern/certificates/add.action/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-name*/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config If I add a new url pattern, this page will request client certificate too. How can I force to use SSL without requiring a client certificate but still require it in a specific page? Thanks in advance. regards, fabian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature