Jay, I've had success with using the webapp deployment descriptor "transport-guarantee" user-data-contraint as follows:
<security-constraint> <web-resource-collection> <web-resource-name>myPayroll</web-resource-name> <url-pattern>/payrollServlet</url-pattern> <http-method>GET</http-method> </web-resource-collection> <user-data-constraint> <transport-guarantee> CONFIDENTIAL </transport-guarantee> </user-data-constraint> </security-constraint> If your Tomcat server's connector is properly setup to specify the "redirectPort" as shown below in your non-secure Connector (your connector class may be different): <Connector className="org.apache.catalina.connector.http.HttpConnector" port="8080" minProcessors="5" maxProcessors="75" enableLookups="true" redirectPort="8443" acceptCount="10" debug="10" connectionTimeout="60000"/> AND you have a Connector listening on that port, for example: <Connector className="org.apache.catalina.connector.http.HttpConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="0" scheme="https" secure="true"> <Factory className="org.apache.catalina.net.SSLServerSocketFactory" clientAuth="false" protocol="TLS"/> </Connector> then Tomcat should do the redirection for you. Here's the documentation link for setting up SSL under Tomcat, if that's useful to you: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html Good luck, Norb Jay Wright wrote:
I am trying to do some initial research on SSL and tomcat. Perhaps there is a faq out there that can help me, but the ones I've found on the tomcat site haven't, so I turn to the newsgroup. I'm looking for some tried and true knowledge on implementing one tomcat instance with both secure and non-secure webapps. If I request comes into a webapp that needs to be secure, I would like to redirect that request to the secure site. Is it best to do this in code (by checking the request.isSecure()) and then issuing response.sendRedirect() or can it be done through server.xml in tomcat or web.xml in the webapp? I assume you'd set up a second <Host> in server.xml and include the webapp <Context> in there. The non-secure <Host> has a redirectPort configured which is suppose to then redirect to the secure site. Or would you set up the <security-constraint> in web.xml. Or am I way off? Jay -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
-- ---------------------------------------------------------- Norbert K. Kuhnert Phone: 858-455-1800 x204 Fax: 858-455-1801 CTO, Founder Email: [EMAIL PROTECTED] Cafesoft LLC WWW: www.cafesoft.com ---------------------------------------------------------- -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>