Re: How do I redirect all tomcat ports to use SSL?
This is an example security-constraint web-resource-collection web-resource-namesecurePages/web-resource-name url-pattern/index.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-name*/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint Fabian http://www.manentiasoftware.com Donny R Rota wrote: Thanks, I use security-constraints now, and I've been looking for this answer for weeks. I've not found that option available. Can you send me an URL to this? In the mean time, I'm going to see if I can find that option in my other sources. thanks! ...Don... -- Don Rota, CTG Operations Rational Software, IBM Software Group 20 Maguire Road, Lexington, MA 02421-3104 Tel: 781 676 2655, Fax: 781 676 7645 [EMAIL PROTECTED] Fabian Pena [EMAIL PROTECTED] 05/04/2005 04:51 PM Please respond to Tomcat Users List To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: How do I redirect all tomcat ports to use SSL? In a web application, you can edit your web.xml file and add a security-constraint to redirect all application requests to SSL. I Hope this help Fabian Donny R Rota wrote: This weeks puzzler 8^) I want all my Tomcat requests to go through SSL. I setup tomcat, and got port 80 and port 443 (SSL) working. But I cannot redirect port 80 to 443. I keep getting refused: Is there a way in Tomcat to redirect all port 80 requests to SSL(443)? I know you can do it the other way around 8443 - 80. I'm just running standalone Tomcat, no Apache. advTHANKSance! ...Don... -- Don Rota, CTG Operations Rational Software, IBM Software Group 20 Maguire Road, Lexington, MA 02421-3104 Tel: 781 676 2655, Fax: 781 676 7645 [EMAIL PROTECTED] No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.3 - Release Date: 03/05/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.3 - Release Date: 03/05/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Moving from http to https doesnt expire session
Thank Bob.
Yes, I think an invalidate and then a request.getSession(true) doesn't work.
Do you know if there are some other options, or a tomcat setting to do this?
The only solution that i found at this moment, was set a diferent domain
name for http and https.
As you see, me english is not good.
greetings
Fabian
Bob Feretich wrote:
If you start a session under http, Tomcat will maintain the session into
https. This is the desired behavior for most users. Most e-commerce
sites use shopping cart models and don't switch to https until you
want to check out. If the session was changed on the transition, you
would lose the shopping cart contents just as it was time to pay. Also,
maintaining the session from http to https does not create a security
hazard.
Tomcat does not permit a session to be maintained across a https to http
transition for security reasons.
To force a session to expire when moving from http to https...
For https pages, at the top of your servlet/jsp, where request is the
HttpServletRequest object. Insert...
if (!request.isSecure() ) // not needed if page is a secure resource
{code to redirect back to the same page under https}
// get the browser's cookies
Cookie[] cookies = request.getCookies();
if (cookies==null)
{code to tell user to enable cookies}
// check session
HttpSession session = request.getSession(false);
if (session!=null) {
// Find the JSESSIONID cookie
for (int i=0; icookies.length; i++) {
if (JSESSIONID.equals(cookies[i].getName() ) ) {
if (!cookies[i].getsecure() ) {
// invalidate non-secure session
session().invalidate();
// see below Note 1.
break;
} // if cookie[]
} // if found cookie
} // for i
} // if session
session = request.getSession(true);
Note 1. At this spot in my servlet, I have code to redirect back to the
sevlet under https. It shouldn't be required, but I may have suspected
that session.invalidate() immediately followed by a
request.getSession(true) didn't work.
Hope this helps.
Bob Feretich
Subject: Moving from http to https doesnt expire session
From:Fabian Pena [EMAIL PROTECTED]
Date:Mon, 02 May 2005 09:54:29 -0300
To:tomcat-user@jakarta.apache.org
hi all
I have a simple question, at least I think that.
I am developing an applicatin that contains confidential information,
and I'm having a simple problem.
when a user move from http to https de session doesnt expire, the
jsessionid is the same.
I want generate a new session and of course change de jsessionid in the
first https request.
Any one can help me.
Thanks in advance
Fabian
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: How do I redirect all tomcat ports to use SSL?
In a web application, you can edit your web.xml file and add a security-constraint to redirect all application requests to SSL. I Hope this help Fabian Donny R Rota wrote: This weeks puzzler 8^) I want all my Tomcat requests to go through SSL. I setup tomcat, and got port 80 and port 443 (SSL) working. But I cannot redirect port 80 to 443. I keep getting refused: Is there a way in Tomcat to redirect all port 80 requests to SSL(443)? I know you can do it the other way around 8443 - 80. I'm just running standalone Tomcat, no Apache. advTHANKSance! ...Don... -- Don Rota, CTG Operations Rational Software, IBM Software Group 20 Maguire Road, Lexington, MA 02421-3104 Tel: 781 676 2655, Fax: 781 676 7645 [EMAIL PROTECTED] No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.3 - Release Date: 03/05/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Moving from http to https doesnt expire session
hi all I have a simple question, at least I think that. I am developing an applicatin that contains confidential information, and I'm having a simple problem. when a user move from http to https de session doesnt expire, the jsessionid is the same. I want generate a new session and of course change de jsessionid in the first https request. Any one can help me. Thanks in advance Fabian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security-constraint in web.xml
Your suggestion work perfectly Thank you very much. Fabian Bill Barker wrote: You simply need to have two security-constraints: One looks like below, and the other has url-pattern/*/url-pattern, and doesn't have an auth-constraint. [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I need help to configure a secure application. I'm trying to request a client certificate in one page only (the rest should be accesible without presenting a certificate) and force to use SSL in the entire application. I put the following in the web.xml security-constraint web-resource-collection web-resource-namecertificates/web-resource-name url-pattern/certificates/add.action/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-name*/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config If I add a new url pattern, this page will request client certificate too. How can I force to use SSL without requiring a client certificate but still require it in a specific page? Thanks in advance. regards, fabian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
