HTTS --> HTTP redirecting

Mon, 27 Jan 2003 11:50:51 -0800 

Hello,

Is it possible to configure Tomcat (4.1.x) in such a way that a request can be 
redirected automatically from HTTPS to HTTP port?

Let's assume that a Website has two separate (non-overlapping) sets of 
resources ("/non_secure_resources/* and "/secure_resources/* respectively) and 
web.xml descriptor defines the following security constraints:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Non Secure Resources</web-resource-name>
            <url-pattern>/non_secure_resources/*</url-pattern>
        </web-resource-collection>

        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Secure Resources</web-resource-name>
            <url-pattern>/secure_resources/*</url-pattern>
        </web-resource-collection>

        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

Then any HTTP request matching "/secure_resources/*" will be automatically 
redirected (assuming that an SSL certificate is installed). However, HTTPS 
requests matching "/non_secure_resources/*" 
(i.e. "https://non_secure_resources/non-secure.jsp) are not redirected back to 
HTTP as I would expect from the first security constraint. The problem that I'm 
currently having is that some JSP pages under "/secure_resources" have links 
pointing to pages within the non-secure portion of the Website, 
i.e. "/secure_resources/secure.jsp" contains a link "<a 
href="/non_secure_resources/non-secure.jsp">). (Also, please notice that these 
links doesn't explicitly specify the protocol, i.e. "http://"; because I don't 
want to hardcode the whole URL (some links are relative)). Considering this, 
when such a link is followed the protocol (HTTPS) is not changed back to HTTP. 
Does anyone know if there is a solution to this other than using absolute URLs 
with the HTTP protocol hardcoded in them?

Thanks,
Lukasz Szelag




--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to