-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Duncan,
On 12/17/14 12:32 PM, Lyallex wrote: > Yea I thought of this, the problem is I currently have a user area > that requires a login and all this is currently configured in > web.xml and I'm not sure how all this will fit together. I'll try a > few things out and see what happens. You can have multiple, overlapping security-constraints. One of them (which covers the whole site) will require HTTPS, the other (existing one) will require authentication and authorization, but only for certain (again, existing) URL patterns. Should be no problem. - -chris > On 17 December 2014 at 17:20, Mark Thomas <ma...@apache.org> > wrote: >> On 17/12/2014 17:10, Lyallex wrote: >>> Tomcat 7.0.42 jdk1.7.0_51 Ubuntu 12.04/CentOS dev/deploy >>> >>> I have been reading more and more about Google and the like >>> prioritising sites that employ https/ssl by default. Currently >>> my site does not use https but delegates payment to a secure >>> payment provider who does, thusly I have avoided going through >>> the pain of certification etc, now it appears I have little >>> option but to implement https site wide. I have managed to get >>> a keystore going and have configured tomcat to serve a self >>> signed certificate when accessing the site by https (default >>> port 443) >>> >>> so http://localhost accesses the home page and >>> https://localhost pops up a warning in Firefox regarding an >>> unknown certification authority. This is all good and I'm >>> pretty sure I understand so far. >>> >>> I have noticed that if I type http://www.google.co.uk in to a >>> browser the address is automatically changed (redirected) to >>> https://www.google.co.uk and I would like the same to happen to >>> my site. >>> >>> Here is the question. Is this 'redirection' something I need to >>> configure myself , (can it be done in server.xml for example) >>> or is this something the people I rent my server from need to >>> do at their end. >> >> It depends on exactly how things are set up. >> >> The first thing I would try is adding something like the >> following to your web.xml: >> >> <security-constraint> <web-resource-collection> >> <web-resource-name>Everything</web-resource-name> >> <url-pattern>/*</url-pattern> </web-resource-collection> >> <user-data-constraint> >> <transport-guarantee>CONFIDENTIAL</transport-guarantee> >> </user-data-constraint> </security-constraint> >> >> If I have remembered my syntax correctly, that should route >> every request to https if it isn't already. >> >> Mark >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUkgWTAAoJEBzwKT+lPKRYVgYP/0MIsch7SiF2bcMqJtDG7Ovn OFSRej7i+6Mjd0efs6h7QKUqAep8C0QKufOFH7Isn2aZa2TYLQXWIKVJtDqbAqz+ 92K/gpWtZ2FGkB/Qg0GNPWNg/em5u/XWJeFjqMPfufZIk/yIZkMByFzDjXiuS/0n rIdadWqzjvkMJcKAfRzO5CuVPcennzovSLB2/ReGA4lYLzc7b81Stxe+6pE0JBg/ XVzu0BFLuBfKHL0KYL/7TFaYQOpbkSc0ROS3UtzNVNyquXMwYjqCDImpcElvnYYZ XX1eMNFnOf6M+sPItHllJiWHzaQYd3vA9axHeE5/F5XiXruYr8V714jRdQH+XCwX FxcalpMw3wbw8OVwFkRZKzlbBhDeWJiurT2vIols5rHjqtrOwDDMrwt7Nzx57VUD 5HTBb+Ghk8lMFfd/VSh6+NjFfqwp5yAvlUhU4PqNrEkjmx150/JBYa9cfVNFwnk7 Wbfb3sWsTzrYPIgw5yOzoI9X3R5gALFBpRqjnhdrJw0wht8s4GNJbpwq4zwQiGto PSyW3mUnMrxarTK4Wq+enRSaQQWgc7BMELdrsH0ixwG8EAA5gCRhfBSV6SVcGAaY tyuNgJv6Pt+C3xQW/BaXOe24mmxuVmjJU0G6A2oFnPiC3J/gbiwPECjFIAR7yEWp 5ZRKipmvLh3vAoJcvvgR =hjT0 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
