No, it wasn't about form data being sent. Say someone tells you "check out this webpage at www.foo.com/bar.html". That page is supposed to be secured, but you don't know that, and the person referring you to it 1) doesn't know it/doesn't think it matters or 2) doesn't understand the difference.
So, you type that into your browser. The desired behavior would see that the request was not secure, and redirect you to the secure version of the page. Obviously, conventional methods typically require a login before getting any type of SSL connection, so you would want the same code on your login page. PayPal is a perfect example. Type in "www.paypal.com" and you get redirected to the secure version. You can't access paypal.com at all via HTTP, login or not. John > -----Original Message----- > From: Trevor MacPhail [mailto:trevor.macphail.lists@;shaw.ca] > Sent: Saturday, October 26, 2002 12:02 AM > To: Tomcat Users List > Subject: Re: Apache-Tomcat > > > If you were to do this, wouldnt GET or POST form data be sent through > the unsecure http connection instead of the https connection you are > going to redirect to? By that time, the data would have been > transmitted > through and unsecure connection which eliminates the need to > bother with > a secure connection. > > -- > Trevor MacPhail > > Graham King wrote: > > > See javax.servlet.ServletRequest.isSecure() > > > > This should do it: > > > > if ( request.isSecure() ) { > > // All is well > > } > > else { > > // Redirect to https site > > } > > > > > > Turner, John wrote: > > > >> I only know the inelegant, brute force way, which is to check the > >> request > >> object for the request type, and if it's "http" when it should be > >> "https", > >> do a redirect to the same URL but with "https" prepended. > >> > >> There's probably a much more robust and correct way to do > this using > >> Tomcat > >> security restrictions and realms, but I haven't worked > with them that > >> much, > >> so I don't want to give you wrong information. Lots of > people on the > >> list > >> have done this, though, so perhaps the best way to proceed > would be > >> to start > >> a new thread with a new subject about restricting > particular URLs to > >> SSL. > >> > >> John > >> > >> > >> > >>> -----Original Message----- > >>> From: Christie I [mailto:christie_iii@;yahoo.com] > >>> Sent: Friday, October 25, 2002 1:04 AM > >>> To: Tomcat Users List > >>> Subject: RE: Apache-Tomcat > >>> > >>> > >>> > >>> Hi > >>> > >>> Thank you very much John. It worked!. I have one last > problem. Iam > >>> running Openssl. Iam having *.jsp files in my webapps/myproject > >>> directory that some of the files needs to be accessed by > https and > >>> not thru http? How to do this? > >>> > >>> for eg :https://0.0.0.0/welcome.jsp should not be accessed thru > >>> http://0.0.0.0 ? How to do restrict this? > >>> > >>> Thanks in advance > >>> > >>> > >>> > >>> > >>> --------------------------------- > >>> Get a bigger mailbox -- choose a size that fits your needs. > >>> > >> > >> > >> -- > >> To unsubscribe, e-mail: > >> <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> > >> For additional commands, e-mail: > >> <mailto:tomcat-user-help@;jakarta.apache.org> > >> > > > > > > -- > > To unsubscribe, e-mail: > > <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> > > For additional commands, e-mail: > > <mailto:tomcat-user-help@;jakarta.apache.org> > > > > > > > > > -- > To unsubscribe, e-mail: > <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> > For additional commands, e-mail: > <mailto:tomcat-user-help@;jakarta.apache.org> > -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
