<[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hello,
>
> Is it possible to configure Tomcat (4.1.x) in such a way that a request
can be
> redirected automatically from HTTPS to HTTP port?
>
> Let's assume that a Website has two separate (non-overlapping) sets of
> resources ("/non_secure_resources/* and "/secure_resources/* respectively)
and
> web.xml descriptor defines the following security constraints:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Non Secure Resources</web-resource-name>
> <url-pattern>/non_secure_resources/*</url-pattern>
> </web-resource-collection>
>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Secure Resources</web-resource-name>
> <url-pattern>/secure_resources/*</url-pattern>
> </web-resource-collection>
>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> Then any HTTP request matching "/secure_resources/*" will be automatically
> redirected (assuming that an SSL certificate is installed). However, HTTPS
> requests matching "/non_secure_resources/*"
> (i.e. "https://non_secure_resources/non-secure.jsp) are not redirected
back to
> HTTP as I would expect from the first security constraint. The problem
that I'm
> currently having is that some JSP pages under "/secure_resources" have
links
> pointing to pages within the non-secure portion of the Website,
> i.e. "/secure_resources/secure.jsp" contains a link "<a
> href="/non_secure_resources/non-secure.jsp">). (Also, please notice that
these
> links doesn't explicitly specify the protocol, i.e. "http://"; because I
don't
> want to hardcode the whole URL (some links are relative)). Considering
this,
> when such a link is followed the protocol (HTTPS) is not changed back to
HTTP.
> Does anyone know if there is a solution to this other than using absolute
URLs
> with the HTTP protocol hardcoded in them?
AFAIK, using absolute URLs is the only supported way to go. However, it
would be easy enough to write a Filter that does the redirect for you:
public class MyFilter implements Filter {
public void init(FilterConfig conf) {}
public void destroy() {}
public void doFilter(ServletRequest req, ServletResponse res, FilterChain
chain)
throws ServletException,IOException {
if( req.isSecure() && res instanceof HttpServletResponse ) {
HttpServletReqest hreq = (HttpServletRequest)req;
StringBuffer nReq = new StringBuffer();
nReq.append("http:/").append(hreq.getRequestURI());
if(hreq.getQueryString() != null) {
nReq.append('?').append(hreq.getQueryString());
}
((HttpServletResponse)res).sendRedirect(nReq.toString());
} else {
chain.doFilter(req, res);
}
}
}
>
> Thanks,
> Lukasz Szelag
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
