I've gone through your same questions lately, and still learnning, but here is
what i've learned from the list and other places.
*Once you start using https, you should NOT switch back to http, doing so will
allow whomever to sniff the session id and put in risk whatever you thought
you secured with https. So, if during a session, a user goes to https, you
should not switch back to http just becouse the next page does not need to be
secured, at this point it is not the page, but the session, that needs to be
secure.
*There are noumerous ways to know if you are running https and also to switch
to https if you were not.
I use a filter to look at what port and protocol is being requested, and
switch to https if necesary. The method used varies if you use apache +
tomcat or tomcat stand alone. This becouse when using apache, apache talks to
tomcat always in http, it takes charge of all comunication being secure with
the client, but it tell's you the user requested a secure session by
appending the secure port number to the url requested. If tomcat is being
used stand alone, you can check what protoclo was requested and other stuff
using httpRequest's getScheme() getProtocol() getServerPort() and stuff like
that.
If a servlet or jsp needs to know if secure session was requested, you can use
the isSecure() method of the request.
There is also a way to force tomcat to ensure secure scheme is being used, byt
adding something like the following to your web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL-Only Portion Of This Webapp</web-resource-name>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
And you can also make apache not serve anything but whatever uri prefix you
specify so it won't serve something if it begins with /secure, which you can
use as the prefix for any jsp or servlet you want to make sure run only in a
secure way.
I hope all this helps!
On Tuesday 17 December 2002 14:43, Cook, Christopher H (IndSys, GE Interlogix)
wrote:
> The documentation supplied for tomcat that pertains to the configuration of
> ssl states - "indeed a developer can pick and choose which pages require a
> secure connection and which do not. For a reasonably busy site, it is
> customary to only run certain pages under SSL, namely those pages where
> sensitive information could possibly be exchanged. ... Any pages which
> absolutely require a secure connection should check the protocol type
> associated with the page request and take the appropriate action of https
> is not specified."
>
> I have SSL set up in my application currently, so that any page I request
> can either use https or http. How do restrict access to some pages using
> http, while allowing others to use it? Basically how do I implement the
> scenario's described in the above passage? Or where is there documentation
> on this?
>
> Thanks,
>
> Chris
>
> --
> To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]> For additional
> commands, e-mail: <mailto:[EMAIL PROTECTED]>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
