Re: SSL FAQ and question

Thu, 21 Nov 2002 11:49:06 -0800 

Jay,

I've had success with using the webapp deployment descriptor
"transport-guarantee" user-data-contraint as follows:

<security-constraint>
   <web-resource-collection>
      <web-resource-name>myPayroll</web-resource-name>
      <url-pattern>/payrollServlet</url-pattern>
      <http-method>GET</http-method>
   </web-resource-collection>
   <user-data-constraint>
      <transport-guarantee>
      CONFIDENTIAL
      </transport-guarantee>
   </user-data-constraint>
</security-constraint>

If your Tomcat server's connector is properly setup to specify
the "redirectPort" as shown below in your non-secure Connector
(your connector class may be different):

<Connector className="org.apache.catalina.connector.http.HttpConnector"
               port="8080" minProcessors="5" maxProcessors="75"
               enableLookups="true" redirectPort="8443"
               acceptCount="10" debug="10" connectionTimeout="60000"/>

AND you have a Connector listening on that port, for example:

<Connector className="org.apache.catalina.connector.http.HttpConnector"
               port="8443" minProcessors="5" maxProcessors="75"
               enableLookups="true"
	       acceptCount="10" debug="0" scheme="https" secure="true">
  <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
               clientAuth="false" protocol="TLS"/>
</Connector>


then Tomcat should do the redirection for you. Here's the documentation
link for setting up SSL under Tomcat, if that's useful to you:

http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html

Good luck,

Norb





Jay Wright wrote:

I am trying to do some initial research on SSL and tomcat.  Perhaps there is
a faq out there that can help me, but the ones I've found on the tomcat site
haven't, so I turn to the newsgroup.

I'm looking for some tried and true knowledge on implementing one tomcat
instance with both secure and non-secure webapps.  If I request comes into a
webapp that needs to be secure, I would like to redirect that request to the
secure site.

Is it best to do this in code (by checking the request.isSecure()) and then
issuing response.sendRedirect() or can it be done through server.xml in
tomcat or web.xml in the webapp?

I assume you'd set up a second <Host> in server.xml and include the webapp
<Context> in there.  The non-secure <Host> has a redirectPort configured
which is suppose to then redirect to the secure site.

Or would you set up the <security-constraint> in web.xml.

Or am I way off?

Jay


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>


--
----------------------------------------------------------
 Norbert K. Kuhnert              Phone: 858-455-1800 x204
                                   Fax: 858-455-1801
 CTO, Founder                    Email: [EMAIL PROTECTED]
 Cafesoft LLC                      WWW: www.cafesoft.com
----------------------------------------------------------


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to