Hi
Just a short note to say thanks to those that replied to my post
I've spent the past three days trying to figure out the best approach given
all the options available and I have something working. It's doesn't work
quite how I'd like, the main problem being that when I get a
RequestDispatcher in a Servlet and forward to a resource that has a mapping
to a Filter the Filter doesn't fire. I think I understand why (forwarding
passes the request and response to another resource, it's not like making a
request) but it doesn't really help me. Still, like someone said, it's all a
matter of tradeoffs.
Regards
Duncan
On 6/29/07, Lyallex <[EMAIL PROTECTED]> wrote:
Hi
Java 1.5.0_10
Tomcat 5.5.17
I've just spent the past couple of hours reading past postings to this
list at marc.info
The subject I'm interested in is the efficient use of ssl/https.
I have managed to get the 'redirection' to https working with the
following
entry in web.xml (amongst other config type things)
<security-constraint>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
The problem, as I'm sure you've guessed by now is that once an account is
logged in
I want the client to be able to browse the site via http, not https.
I know this issue has been around since at least 2004 (this is as far back
as I went)
The Tomcat Docs at http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.htmlstate
<quote>
"... Also, while the SSL protocol was designed to be as efficient as
securely possible,
encryption/decryption is a computationally expensive process from a
performance standpoint.
It is not strictly necessary to run an entire web application over SSL,
and indeed a developer
can pick and choose which pages require a secure connection and which do
not..."
</quote>
Marvelous... thing is I've seen various solutions suggested from fronting
Tomcat with Apache httpd and
using something called modRedirect to writing some sort of filter. Have
the experts come to some sort of conclusion
as to the best way to 'pick and choose which pages require a secure
connection...' given the various security issues that seem to be of concern
etc.
Many thanks for reading this, I'm sure you're all bored to tears by this
subject now.
Rgds
Duncan
