On Fri, 25 Oct 2002, Turner, John wrote: > Thanks, but I think there is a "better" way to do it, such that the > request never even gets to the servlet or JSP page if it isn't > secure when it should be. I just don't know it.
I'd think the "cleanest" way to do this would be by putting appropriate directives in the http and https sections of the httpd.conf file. That is (assuming mod_jk is being used), have the JkMount's for http-OK servlets/JSPs in the section that applies to the root/http instance/virtual host, and have the JkMounts for https-OK servlets/JSPs in the section that applies to the https instance/virtual host. How easy this would be, or whether it can be done at all, might depend on how things are set up regarding the directory structure of the web applications. For example, if you have totally separate directories/contexts for the http and https stuff, you're probably OK. If you have them mixed, i.e. one directory/context that has both http and https stuff, you might be in trouble. Of course, that may be a bad design for a number of reasons (including the problem of mixing http and https in the same context and sessions, which has been discussed here previously). > > -----Original Message----- > > From: Graham King [mailto:graham@;gointernet.co.uk] > > Sent: Friday, October 25, 2002 8:29 AM > > To: Tomcat Users List > > Subject: Re: Apache-Tomcat > > > > > > See javax.servlet.ServletRequest.isSecure() > > > > This should do it: > > > > if ( request.isSecure() ) { > > // All is well > > } > > else { > > // Redirect to https site > > } > > > > > > Turner, John wrote: > > > I only know the inelegant, brute force way, which is to > > check the request > > > object for the request type, and if it's "http" when it > > should be "https", > > > do a redirect to the same URL but with "https" prepended. > > > > > > There's probably a much more robust and correct way to do > > this using Tomcat > > > security restrictions and realms, but I haven't worked with > > them that much, > > > so I don't want to give you wrong information. Lots of > > people on the list > > > have done this, though, so perhaps the best way to proceed > > would be to start > > > a new thread with a new subject about restricting > > particular URLs to SSL. > > > > > > John > > > > > > > > > > > >>-----Original Message----- > > >>From: Christie I [mailto:christie_iii@;yahoo.com] > > >>Sent: Friday, October 25, 2002 1:04 AM > > >>To: Tomcat Users List > > >>Subject: RE: Apache-Tomcat > > >> > > >> > > >> > > >>Hi > > >> > > >>Thank you very much John. It worked!. I have one last > > >>problem. Iam running Openssl. Iam having *.jsp files in my > > >>webapps/myproject directory that some of the files needs to > > >>be accessed by https and not thru http? How to do this? > > >> > > >>for eg :https://0.0.0.0/welcome.jsp should not be accessed > > >>thru http://0.0.0.0 ? How to do restrict this? > > >> > > >>Thanks in advance Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
