"Craig R. McClanahan" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > On 2 Dec 2002, Alexander Wallace wrote: > > > Date: 02 Dec 2002 18:41:26 -0600 > > From: Alexander Wallace <[EMAIL PROTECTED]> > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > > To: Tomcat Users List <[EMAIL PROTECTED]> > > Subject: Filters don't affect request dispatcher forward > > > > Hi there. I wrote a filter to ensure that resources that i want accessed > > using https are, and the ones that don't need to aren't. > > > > I found out that filters are only applied if the request came from the > > user, by typing the url or using a link, etc. They are not used if the > > resource is called using request dispatcher. > > > > Supposedly this is becouse of a lack of specifications in the servlet > > api, but that should be fixed in the api used by tomcat 5. > > > > Is all this correct? > > Yes, basically. > > > Is there a work around while tomcat 5 is released? > > You can use a security constraint with a <transport-guarantee> element to > require that certain accesses be performed only on SSL connections. Then, > the container will do the necessary redirect for you.
Urm, on my reading of the 2.3 spec, this would be a bug if Tomcat 4.x enforces a <transport-guarantee> on a rd.forward/include. Not to mention the fact that it would mean that I'd have to go back and spend many more hours studying the Catalina API :). > > An example that requires any (context-relative) path starting with "/foo" > or "/bar" to be done on SSL would look like this: > > <security-constraint> > <web-resource-collection> > <web-resource-name>SSL-Only Portion Of This Webapp</web-resource-name> > <!-- Specify as many patterns as you need here --> > <url-pattern>/foo/*</url-pattern> > <url-pattern>/bar/*</url-pattern> > </web-resource-collection> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > Note that, because there is no <auth-constraint>, login will not be > required -- only execution over SSL will be required, and only for URLs in > the named "subdirectories". All other accesses to the webapp will be > allowed over either SSL or non-SSL requests. > > > > > Also, does someone have or knows of a proven filter that redirects to > > http or https? Mine seesm to work ok, but i want to make sure I'm not > > missing something. > > > > With the above security constraint, you won't need a filter at all :-). > > > Thanks in advance! > > > > Craig -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
