Hello, we are planning to activate our intranet with ssl. Along with this, we would like to make this intranet available to our employees from their home. Insite, without ssl, there is no need to identify our user. Anonymous browsing is to be allowed. From outside however, we want to force authentification on all the webapp. So we would like to have a security-constraint on / that applies *only* when webapp is reached using SSL connector. The standard web.xml, afaik, does not support separating constraint depending on http connector. We thought about using some valve that would force users to a specific login url if their are not yet authenticated. Does this somehow already exist in tomcat. Below is a short description of aimed configuration:
http://server/webapp <-- no auth constraint http://server/webapp/admin <-- auth-constraint, role admin http://server/webapp/edit <-- auth-constraint, role admin or publisher https://server/webapp <-- auth contraint, no specific role (or role "user" is needed) https://server/webapp/admin <-- auth-constraint, role admin https://server/webapp/edit <-- auth-constraint, role admin or publisher -- http://www.noooxml.org/ --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]