Chris,
I figured out how to make this work. It works in my dev dox but not in
my prod box. Both have the same version of tomcat. Here is the web.xml entry.
I any ideas would be great.
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTP-Protected-Resource-1</web-resource-name>
<description>Description here</description>
<url-pattern >/path to directory/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
Thanks,
Kent Cole
> On Dec 14, 2023, at 10:09 AM, Christopher Schultz
> <ch...@christopherschultz.net> wrote:
>
> Kent,
>
> On 12/14/23 09:13, ResSoft wrote:
>> I am currently forcing my app to use https. Here is what I have in my
>> app web.xml file and it works as intended
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>securedapp</web-resource-name>
>> <url-pattern>/*</url-pattern>
>> </web-resource-collection>
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint>
>> </security-constraint>
>> I also now want to restrict the browser from pulling up files in certain =
>> directories. Search the web I see to use the following=20
>> <security-constraint>
>> <web-resource-collection>
>> =
>
> I hope this is just a stray = added by your email program. If it's not,
> please remove it.
>
>> <web-resource-name>HTTP-Protected-Resource-1</web-resource-name>
>> <description>Description here</description>
>> <url-pattern >/path to directory/path to =
>> directory/*</url-pattern>
>> <http-method>GET</http-method>
>> <http-method>POST</http-method>
>
> What about HEAD requests? Or PUT? Or maybe FOO?
>
> Don't forget that any client can try any HTTP method verb. It doesn't have to
> make any sense, and most code assumes GET unless it's looking for something
> else.
>
>> </web-resource-collection>
>> <auth-constraint/>
>> </security-constraint>
>> These both work independently of each other. What I can't
>> figure out is how to make them work together. When I try that, all
>> files are forbidden as it appears the <url-pattern>/*</url-pattern>
>> locks everything down. But without it, I cannot get tomcat to force
>> http to https.
>
> Have you set a redirectPort in your HTTP <Connector>?
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> <mailto:users-unsubscr...@tomcat.apache.org>
> For additional commands, e-mail: users-h...@tomcat.apache.org
> <mailto:users-h...@tomcat.apache.org>
