Hi
Ah, yes, well I'm not really an 'expert' myself but I have been through this
recently.
The first thing I would say is that the following looks different to my own
config
<url-pattern>/cas/WEB-INF/view/jsp/simple/ui</url-pattern>
here is one of my constraints
<security-constraint>
<display-name>Standard user constraint used for checkout and account
modification</display-name>
<web-resource-collection>
<web-resource-name>my super new site</web-resource-name>
<url-pattern>/user/LoginPreCheck</url-pattern>
<url-pattern>/user/loggedin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>wpcustomer</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
the url-pattern should be a relative path from the root of your application
or some mapped path to a resource (experts correct me if I am wrong please).
If you want everything protected then just use * (or /* I think actually).
Now when a user tries this URL
http://www.mywebapp.co.uk/user/loggedin/editAccount.jsp Tomcat automatically
''redirects' to https.
As for the filter, well I'm a bit new to them as well. At the moment I have
decided that as long as a user is logged in then I'd like the session to be
secure. When they hit the logout button then I don't need secure I just need
straight http.
Here is my filter
public class HttpsRedirectFilter implements Filter{
...
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
if((request instanceof HttpServletRequest) && (response instanceof
HttpServletResponse)){
String redirectTarget =
((HttpServletRequest)request).getRequestURL().toString().replaceFirst("https",
"http");
if(request.isSecure()){
((HttpServletResponse)response).sendRedirect(redirectTarget);
}
else{
chain.doFilter(request, response);
}
}
}
...
Very basic and primitive I'm sure but it does the job
The filter is mapped to the /logout url thus
<filter>
<filter-name>redirectFilter</filter-name>
<filter-class>com.foo.bar.baz.HttpsRedirectFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>redirectFilter</filter-name>
<url-pattern>/logout</url-pattern>
</filter-mapping>
Anytime anyone logs out this filter fires and redirects to 'standard' http.
Now of course the filter could be a lot more sophisticated but it proved the
concept to me, now all I need is that little bit of 'majik'
Hope all this helps.
All criticism welcome
Cheers
Duncan
On 7/6/07, christianhau <[EMAIL PROTECTED]> wrote:
Thanks man!
I have tried a similar approach with the web.xml but no luck. This is what
I
wrote in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire
Application</web-resource-name>
<url-pattern>/cas/WEB-INF/view/jsp/simple/ui</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Now I am not 100% sure if the pattern is correct, how would I check that?
And another thing, you mentioned a suitable servlet filter? How would you
go
about making a servlet filter for this purpose and where would you put it?
As you can tell from my question I have little experience with servlet
filters..
Thanks again :)
Lyallex wrote:
>
> Hi
>
> This is my first contribution to this list and I expect others will have
> better ways of doing it but ...
>
> The way I managed to get his working is to set the ssl connector port to
> the
> default ssl port (443)
> and my non-ssl connector port to the default http port (80)
> Obviously there are issues starting Tomcat on these ports on *NIX
systems
> but judging by the following
> entry in your ssl connector (keystoreFile="/root/.keystore") you appear
to
> have access to root.
>
> That should do it
>
> Also in my etc/hosts file I have set 127.0.0.1 www.mywebapp.co.uk and
my
> app is the root web app
>
> so now, combined with the following in web.xml
>
> <security-constraint>
> ...
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> ...
> </security-constraint>
>
> and a suitable servlet filter I can switch between http and https almost
> at
> will with no messing about with ports just by asking for
> http://www.mywebapp.co.uk
>
> Hope this helps
>
> Cheers
> Duncan
>
>
> On 7/6/07, christianhau <[EMAIL PROTECTED]> wrote:
>>
>>
>> Hi!
>>
>> I have set up a tomcat server with ssl that works fine as long as I go
to
>> the adress https://adress:8443 I want to get rid of the port number, is
>> there any easy way to do this so that tomcat understands the https
>> request
>> that comes in?
>>
>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="150" scheme="https" secure="true"
>> clientAuth="false" keystorePass="changeit" sslProtocol="TLS"
>> keystoreFile="/root/.keystore"
>> truststoreFile="/usr/lib/jvm/java-1.5.0-sun/jre/lib/security/cacerts"
/>
>>
>> This is my ssl connector in my server.xml. I tried getting a redirct
from
>> http to https going but couldn't do that in tomcat alone, any tips on
>> that
>> aswell? I have done this:
>>
>> <Connector port="8080" protocol="HTTP/1.1"
>>
>> redirectPort="8443" />
>>
>> With no luck... Thanks for any help!!
>> --
>> View this message in context:
>>
http://www.nabble.com/How-to-remove-port-number-from-https-adress-and-redirect-http-to-https-tf4034030.html#a11459871
>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>
>
--
View this message in context:
http://www.nabble.com/How-to-remove-port-number-from-https-adress-and-redirect-http-to-https-tf4034030.html#a11462081
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
