-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 John,
On 8/1/14, 5:43 PM, John Smith wrote: > On Fri, Aug 1, 2014 at 4:34 PM, Caldarale, Charles R < > chuck.caldar...@unisys.com> wrote: > >>> From: John Smith [mailto:tomcat.ran...@gmail.com] Subject: >>> Restricting SSL access within webapp >> >>> What's the correct way to selectively restrict https to only >>> one area of >> a webapp? >> >> Why would you want to do that? Other than a few extra server CPU >> cycles, what's the harm in allowing SSL anywhere at the client's >> discretion? >> >> - Chuck >> > >> From the docs: > > Also, while the SSL protocol was designed to be as efficient as > securely possible, encryption/decryption is a computationally > expensive process from a performance standpoint. It is not strictly > necessary to run an entire web application over SSL, and indeed a > developer can pick and choose which pages require a secure > connection and which do not. For a reasonably busy site, it is > customary to only run certain pages under SSL, namely those pages > where sensitive information could possibly be exchanged. > > Unfortunately how to do this isn't explained. I might use a filter. > Our site handles 500,000 visitors a day on two TC instances. > Believe me, I need to consider performance costs. You'd have to determine which URL patterns are "okay" for dropping HTTPS and then do a protocol-changing redirect. You can do this with a custom Filter, or you might even be able to use url-rewrite to do the job... I've never tried to configure that to switch protocols and do a self-redirect. Writing the code yourself should be easy, but you should probably give url-rewrite a try first. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJT3A+5AAoJEBzwKT+lPKRYTVQP/0wfHnoTIn0KAagCY7zRUlml jbWW9GHtOpxt3ZV7BxVdAkC4VipTm/apiTQnbPOMpqzzoQS4fuw2ccc837M7u8lW ZpqVN5yvaQPe21wGUuEWT79wi0gXZhZe6eUb2B+PHcqwWz8DPYLAedGYYCEsZAYb Rtrztb9HnVRSYaiQJOr3pvzmrkuoOT8db1qhuggtOzsSFXDcTcQzYLF3iaK99cDc WkZlOsbwV4dpMARqfrKsM0b8obUXS96qjjB4zWtmczp12vjhtYQI9w/I1lTSKnDl L26DcCnoDJIi3wIY/Omm6sD/0e1BmHfC+2Pxv84HVIvGgRjG0sOLCDIPxFLfw6C4 LlomNmdPzFlwebkTjUc5hC3SQoNk5+a3LM6TFiouf4vw7wnpsNhyvt9odU4bGUv3 2eSiS9n1AMP/Zrb/6Ks92THXY1XzH17a7jCMXpwDxSYqXnYsEeUlB+oPLadkBe38 bMm5P9IXidccm0Fuvha6I042Xd/W++siA+fK3OChEI1FsDgrIhXQmmMRn39a7GOV GmX390FMxfUfxqQMrkgaKYqwYhTzS9rnhy0shZyOsnZvTASJU8X6qi2BcLE8HEZL 4OKWWfnHDf744NM18fie6ltCjs2LfalyyU8dm741j6CYBraBd9dlgGEYOz58kOAx XpVVogN5dbaL3erz4or+ =udcL -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org