Did you try ServletRequest.isSecure? Another thought is to see how the app
behaves if you declare a security constraint in web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>INTEGRAL</transport-guarantee>
<!-- or CONFIDENTIAL -->
</user-data-constraint>
</security-constraint>
Which should require that all requests are made via SSL.
Quoting Ian Hunter <[EMAIL PROTECTED]>:
> So if I ditched ajp and went with a ModProxy directive or something, might
> that work? I wouldn't think so, because the protocol in use between Apache
> and Tomcat would then be http, not https. Maybe they ought to fix that
> page
> I quoted originally to give a more realistic understanding of SSL front
> ends...
>
> ----- Original Message -----
> From: "Turner, John" <[EMAIL PROTECTED]>
> To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
> Sent: Tuesday, February 25, 2003 9:37 AM
> Subject: RE: How to verify SSL/HTTPS behind Tomcat via AJP13
>
>
> >
> > Nope. I think there are some SSL-specific Request variables that are
> sent
> > along with a SSL request, you could always Enum through the list and look
> > for them, but that is just as kludgy.
> >
> > The problem is that behind a connector like JK or JK2, there is no HTTP,
> and
> > there is no HTTPS. The protocol being used is JK/JK2 (AJP13/14), so the
> > only resources available to a developer at that point are the things that
> > get sent along with typical requests.
> >
> > John
> >
> >
> > > -----Original Message-----
> > > From: Ian Hunter [mailto:[EMAIL PROTECTED]
> > > Sent: Tuesday, February 25, 2003 9:31 AM
> > > To: Tomcat Users List
> > > Subject: Re: How to verify SSL/HTTPS behind Tomcat via AJP13
> > >
> > >
> > > I've "fallen back" to seeing if
> > > getRequestURL().toString().startsWith("https") -- that seems
> > > pretty kludgy.
> > > Any other ideas?
> > >
> > > ----- Original Message -----
> > > From: "Turner, John" <[EMAIL PROTECTED]>
> > > To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
> > > Sent: Tuesday, February 25, 2003 8:41 AM
> > > Subject: RE: How to verify SSL/HTTPS behind Tomcat via AJP13
> > >
> > >
> > > >
> > > > The return from getProtocol() is correct, AFAIK. I don't
> > > believe there is
> > > a
> > > > HTTPS/1.1 or similar, but I could be wrong.
> > > >
> > > > By "check protocol type" in the docs (agreed, it is
> > > unclear), I believe it
> > > > means to do one (or all) of the following:
> > > >
> > > > - check the URL for "https"
> > > > - check the port number for the request
> > > > - use HttpServletRequest.isSecure(), though I think that will return
> > > "false"
> > > > when you use Tomcat via a connector with Apache....I've
> > > never tried it to
> > > be
> > > > sure.
> > > >
> > > > John
> > > >
> > > > > -----Original Message-----
> > > > > From: Ian Hunter [mailto:[EMAIL PROTECTED]
> > > > > Sent: Monday, February 24, 2003 9:26 PM
> > > > > To: Tomcat Users List
> > > > > Subject: How to verify SSL/HTTPS behind Tomcat via AJP13
> > > > >
> > > > >
> > > > > From
> > > > >
> > http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html -- "Any
> > > > pages which absolutely require a secure connection should
> > > > check the protocol
> > > > type associated with the page request and take the
> > > > appropriate action of
> > > > https is not specified."
> > > >
> > > > Also, "When running Tomcat primarily as a Servlet/JSP container
> behind
> > > > another web server, such as Apache or Microsoft IIS, it is
> > > > usually necessary
> > > > to configure the primary web server to handle the SSL connections
> from
> > > > users. Typically, this server will negotiate all SSL-related
> > > > functionality,
> > > > then pass on any requests destined for the Tomcat container only
> after
> > > > decrypting those requests. Likewise, Tomcat will return
> > > > cleartext responses,
> > > > that will be encrypted before being returned to the user's
> > > > browser. In this
> > > > environment, Tomcat knows that communications between the
> > > > primary web server
> > > > and the client are taking place over a secure connection (because
> your
> > > > application needs to be able to ask about this), but it does
> > > > not participate
> > > > in the encryption or decryption itself."
> > > >
> > > > However, when I check "request.getProtocol()" I get
> > > > "HTTP/.1.1" even when
> > > > I'm connecting via SSL (url shows https: and browser shows "lock" and
> > > > confirms 128 bit SSL) -- what gives?
> > > >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
--
Kris Schneider <mailto:[EMAIL PROTECTED]>
D.O.Tech <http://www.dotech.com/>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
