Chris,
Thanks for the response, but I think I explained myself wrong. The
http redirect to https works when I use just this entry in my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
But if I want to force http to https and lock the second url pattern from a
browser accessing files in that directory, it locks down the entire site based
on the first url-patterm /* and with out the /* the http to https does not work
at the root directory of the app.
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
<url-pattern>/path to directory/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I can’t figure out how to force http to https and lock down a directory from
being browsed.
Thanks,
Kent Cole
> On Dec 14, 2023, at 10:09 AM, Christopher Schultz
> <ch...@christopherschultz.net> wrote:
>
> Kent,
>
> On 12/14/23 09:13, ResSoft wrote:
>> I am currently forcing my app to use https. Here is what I have in my
>> app web.xml file and it works as intended
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>securedapp</web-resource-name>
>> <url-pattern>/*</url-pattern>
>> </web-resource-collection>
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint>
>> </security-constraint>
>> I also now want to restrict the browser from pulling up files in certain =
>> directories. Search the web I see to use the following=20
>> <security-constraint>
>> <web-resource-collection>
>> =
>
> I hope this is just a stray = added by your email program. If it's not,
> please remove it.
>
>> <web-resource-name>HTTP-Protected-Resource-1</web-resource-name>
>> <description>Description here</description>
>> <url-pattern >/path to directory/path to =
>> directory/*</url-pattern>
>> <http-method>GET</http-method>
>> <http-method>POST</http-method>
>
> What about HEAD requests? Or PUT? Or maybe FOO?
>
> Don't forget that any client can try any HTTP method verb. It doesn't have to
> make any sense, and most code assumes GET unless it's looking for something
> else.
>
>> </web-resource-collection>
>> <auth-constraint/>
>> </security-constraint>
>> These both work independently of each other. What I can't
>> figure out is how to make them work together. When I try that, all
>> files are forbidden as it appears the <url-pattern>/*</url-pattern>
>> locks everything down. But without it, I cannot get tomcat to force
>> http to https.
>
> Have you set a redirectPort in your HTTP <Connector>?
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
