Hi Ah, yes, well I'm not really an 'expert' myself but I have been through this recently.
The first thing I would say is that the following looks different to my own config <url-pattern>/cas/WEB-INF/view/jsp/simple/ui</url-pattern> here is one of my constraints <security-constraint> <display-name>Standard user constraint used for checkout and account modification</display-name> <web-resource-collection> <web-resource-name>my super new site</web-resource-name> <url-pattern>/user/LoginPreCheck</url-pattern> <url-pattern>/user/loggedin/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>wpcustomer</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> the url-pattern should be a relative path from the root of your application or some mapped path to a resource (experts correct me if I am wrong please). If you want everything protected then just use * (or /* I think actually). Now when a user tries this URL http://www.mywebapp.co.uk/user/loggedin/editAccount.jsp Tomcat automatically ''redirects' to https. As for the filter, well I'm a bit new to them as well. At the moment I have decided that as long as a user is logged in then I'd like the session to be secure. When they hit the logout button then I don't need secure I just need straight http. Here is my filter public class HttpsRedirectFilter implements Filter{ ... public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if((request instanceof HttpServletRequest) && (response instanceof HttpServletResponse)){ String redirectTarget = ((HttpServletRequest)request).getRequestURL().toString().replaceFirst("https", "http"); if(request.isSecure()){ ((HttpServletResponse)response).sendRedirect(redirectTarget); } else{ chain.doFilter(request, response); } } } ... Very basic and primitive I'm sure but it does the job The filter is mapped to the /logout url thus <filter> <filter-name>redirectFilter</filter-name> <filter-class>com.foo.bar.baz.HttpsRedirectFilter</filter-class> </filter> <filter-mapping> <filter-name>redirectFilter</filter-name> <url-pattern>/logout</url-pattern> </filter-mapping> Anytime anyone logs out this filter fires and redirects to 'standard' http. Now of course the filter could be a lot more sophisticated but it proved the concept to me, now all I need is that little bit of 'majik' Hope all this helps. All criticism welcome Cheers Duncan On 7/6/07, christianhau <[EMAIL PROTECTED]> wrote:
Thanks man! I have tried a similar approach with the web.xml but no luck. This is what I wrote in web.xml <security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/cas/WEB-INF/view/jsp/simple/ui</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> Now I am not 100% sure if the pattern is correct, how would I check that? And another thing, you mentioned a suitable servlet filter? How would you go about making a servlet filter for this purpose and where would you put it? As you can tell from my question I have little experience with servlet filters.. Thanks again :) Lyallex wrote: > > Hi > > This is my first contribution to this list and I expect others will have > better ways of doing it but ... > > The way I managed to get his working is to set the ssl connector port to > the > default ssl port (443) > and my non-ssl connector port to the default http port (80) > Obviously there are issues starting Tomcat on these ports on *NIX systems > but judging by the following > entry in your ssl connector (keystoreFile="/root/.keystore") you appear to > have access to root. > > That should do it > > Also in my etc/hosts file I have set 127.0.0.1 www.mywebapp.co.uk and my > app is the root web app > > so now, combined with the following in web.xml > > <security-constraint> > ... > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > ... > </security-constraint> > > and a suitable servlet filter I can switch between http and https almost > at > will with no messing about with ports just by asking for > http://www.mywebapp.co.uk > > Hope this helps > > Cheers > Duncan > > > On 7/6/07, christianhau <[EMAIL PROTECTED]> wrote: >> >> >> Hi! >> >> I have set up a tomcat server with ssl that works fine as long as I go to >> the adress https://adress:8443 I want to get rid of the port number, is >> there any easy way to do this so that tomcat understands the https >> request >> that comes in? >> >> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" >> maxThreads="150" scheme="https" secure="true" >> clientAuth="false" keystorePass="changeit" sslProtocol="TLS" >> keystoreFile="/root/.keystore" >> truststoreFile="/usr/lib/jvm/java-1.5.0-sun/jre/lib/security/cacerts" /> >> >> This is my ssl connector in my server.xml. I tried getting a redirct from >> http to https going but couldn't do that in tomcat alone, any tips on >> that >> aswell? I have done this: >> >> <Connector port="8080" protocol="HTTP/1.1" >> >> redirectPort="8443" /> >> >> With no luck... Thanks for any help!! >> -- >> View this message in context: >> http://www.nabble.com/How-to-remove-port-number-from-https-adress-and-redirect-http-to-https-tf4034030.html#a11459871 >> Sent from the Tomcat - User mailing list archive at Nabble.com. >> >> >> --------------------------------------------------------------------- >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > -- View this message in context: http://www.nabble.com/How-to-remove-port-number-from-https-adress-and-redirect-http-to-https-tf4034030.html#a11462081 Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]