What you'll really want is to ditch the transport guarantee clause in
web.xml and create a filter which will be smart enough to force/unforce
you from SSL.
For example:
doFilter(...) {
boolean isSSLRequired = magicYesNo(request);
if (isSSLRequired && !request.isSecure()) {
doSomeRedirectToSSL(...);
return;
} else if (!isSSLRequired && request.isSecure()) {
doSomeRedirectToNotSSL(...);
return;
}
filter.doChain(...);
}
-Tim
Lyallex wrote:
Hi
Java 1.5.0_10
Tomcat 5.5.17
I've just spent the past couple of hours reading past postings to this list
at marc.info
The subject I'm interested in is the efficient use of ssl/https.
I have managed to get the 'redirection' to https working with the following
entry in web.xml (amongst other config type things)
<security-constraint>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
The problem, as I'm sure you've guessed by now is that once an account is
logged in
I want the client to be able to browse the site via http, not https.
I know this issue has been around since at least 2004 (this is as far back
as I went)
The Tomcat Docs at
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.htmlstate
<quote>
"... Also, while the SSL protocol was designed to be as efficient as
securely possible,
encryption/decryption is a computationally expensive process from a
performance standpoint.
It is not strictly necessary to run an entire web application over SSL, and
indeed a developer
can pick and choose which pages require a secure connection and which do
not..."
</quote>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
