Hi, Thanks I did vaguely come across that, but we're not using Struts :(
I'm guessing based on the lack of replies that I can't detect something thats not covered by a security contraint. Has anyone done anything like this? I guess I'll either do what I said below, or bin the security consraint and do the switching both ways in my Filter, so at least it is only configured in one place. Thanks, Tamsin -----Original Message----- From: Wang, Hansen [mailto:[EMAIL PROTECTED] Sent: 30 March 2006 01:23 To: Tomcat Users List Subject: RE: security-constraint If you are using struts for your webapp, there is an extension "sslext" for this purpose. What it does are: 1) gernerate complete url with property scheme using it's tag; 2) redirect (as you said in your email) if the incoming has unmatched scheme for the target resource. Hansen -----Original Message----- From: tamsin [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 29, 2006 7:25 AM To: Tomcat-Users Subject: security-constraint Hi all, I wonder if anyone can help me, I've recently taken over management of our Tomcat webapp, and have been listening to the list for a while, although don't know enough to contribute much yet I am afraid. I'm using the following security-constraint to make sure that any user using our payment module is transferred to https <security-constraint> <display-name>Secure Access</display-name> <web-resource-collection> <web-resource-name>OrderPayment</web-resource-name> <url-pattern>/OrderPayment</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> This works fine - if I request http://mydomain/OrderPayment I get transferred to https. However, after they've finished paying I really want to transfer them back to http. I couldn't see a way of doing this using web.xml - the info I found on the net suggested this isn't possible. So, I thought I could write a filter to do this. I can easily write a filter which uses sendRedirect to tranfer an https request to http, but I wanted to know the best way to see which requests to do this to. I could hard code into my filter the names of the pages I want to be secure, but I wondered if there is any way of finding out programatically which requests are covered by the security-contraint, and then any that are https and aren't covered, do the redirect on. Does that make sense? i.e. can I do something like : if (request.getScheme().equals("https") && !request.hasConfidentialSecurityContraint()) { (And does this in general sound like a sensible way of doing things?) Thanks for any help, Tamsin -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.3.3/295 - Release Date: 28/03/2006 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.3.3/296 - Release Date: 29/03/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.3.3/296 - Release Date: 29/03/2006 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
