On Thu, 16 Jan 2003, neal wrote: > Does anyone know how to *require* that a page be accessed only via a > secure connection? > > For instance, I *can* request a secure connection to a page by going > to "https://" and the url ... but how do I prevent a user from going > to "http://" to request that same page? > > Would this be a proxy thing or is something I can set in Tomcat? Is > there something that wouldn't require the overhead of reflecting > upon every single request at the Java level? > > Thanks. > neal
I think if you're using Tomcat standalone, the <security-constraint> technique that others have mentioned is the way to go. But if you're using Tomcat behind Apache, you should be able to control this by controlling what resources are available to each "instance" of the server (with http being one instance and https being another). For example, you can set them up as separate virtual hosts, and then control what resources are accessible within each virtual host. Works for us. Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>