If you are using struts for your webapp, there is an extension "sslext" for this purpose. What it does are: 1) gernerate complete url with property scheme using it's tag; 2) redirect (as you said in your email) if the incoming has unmatched scheme for the target resource.
Hansen -----Original Message----- From: tamsin [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 29, 2006 7:25 AM To: Tomcat-Users Subject: security-constraint Hi all, I wonder if anyone can help me, I've recently taken over management of our Tomcat webapp, and have been listening to the list for a while, although don't know enough to contribute much yet I am afraid. I'm using the following security-constraint to make sure that any user using our payment module is transferred to https <security-constraint> <display-name>Secure Access</display-name> <web-resource-collection> <web-resource-name>OrderPayment</web-resource-name> <url-pattern>/OrderPayment</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> This works fine - if I request http://mydomain/OrderPayment I get transferred to https. However, after they've finished paying I really want to transfer them back to http. I couldn't see a way of doing this using web.xml - the info I found on the net suggested this isn't possible. So, I thought I could write a filter to do this. I can easily write a filter which uses sendRedirect to tranfer an https request to http, but I wanted to know the best way to see which requests to do this to. I could hard code into my filter the names of the pages I want to be secure, but I wondered if there is any way of finding out programatically which requests are covered by the security-contraint, and then any that are https and aren't covered, do the redirect on. Does that make sense? i.e. can I do something like : if (request.getScheme().equals("https") && !request.hasConfidentialSecurityContraint()) { (And does this in general sound like a sensible way of doing things?) Thanks for any help, Tamsin -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.3.3/295 - Release Date: 28/03/2006 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]