If you are using struts for your webapp, there is an extension "sslext"
for this purpose. What it does are: 1) gernerate complete url with
property scheme using it's tag; 2) redirect (as you said in your email)
if the incoming has unmatched scheme for the target resource.

Hansen 

-----Original Message-----
From: tamsin [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 29, 2006 7:25 AM
To: Tomcat-Users
Subject: security-constraint 

Hi all,

I wonder if anyone can help me, I've recently taken over management of
our Tomcat webapp, and have been listening to the list for a while,
although don't know enough to contribute much yet I am afraid.

I'm using the following security-constraint to make sure that any user
using our payment module is transferred to https

<security-constraint>
       <display-name>Secure Access</display-name>
       <web-resource-collection>
          <web-resource-name>OrderPayment</web-resource-name>

          <url-pattern>/OrderPayment</url-pattern>
       </web-resource-collection>
       <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
</security-constraint>

This works fine - if I request http://mydomain/OrderPayment I get
transferred to https.

However, after they've finished paying I really want to transfer them
back to http. I couldn't see a way of doing this using web.xml - the
info I found on the net suggested this isn't possible.

So, I thought I could write a filter to do this. I can easily write a
filter which uses sendRedirect to tranfer an https request to http, but
I wanted to know the best way to see which requests to do this to. I
could hard code into my filter the names of the pages I want to be
secure, but I wondered if there is any way of finding out
programatically which requests are covered by the security-contraint,
and then any that are https and aren't covered, do the redirect on.

Does that make sense? i.e. can I do something like :

if (request.getScheme().equals("https")
        && !request.hasConfidentialSecurityContraint()) {

(And does this in general sound like a sensible way of doing things?)

Thanks for any help,
Tamsin




--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.3.3/295 - Release Date:
28/03/2006


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to