Hi There seems to be an awful lot of confusion on this list about container managed security and https ... I know I was confused when I started with it.
As I see it the two are not really connected. I think what you want to do is to force an https request for certain resources in your application. One way of doing this is to add this to your security constraint <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> Of course, as always, this is not the complete answer but it should get you started. (see http://java.sun.com/j2ee/dtds/web-app_2_2.dtd for where this goes in web.xml) If you were to configure the <auth-method>FORM</auth-method> (for example) with a suitable login form then when you attempt to access a protected resource that has the required transport guarantee associated with it, access to that resource will not only require a user to log in but access to the resource itself will 'automatically' be over https. As usual I'm sure there are other (better) ways of doing this but it works for me. I hope this helps. Rgds Duncan On 7/16/07, Dimitris Mouchritsas <[EMAIL PROTECTED]> wrote:
Mark Thomas wrote: > Dimitris Mouchritsas wrote: > >> <login-config> >> <auth-method>HTTPS</auth-method> >> <realm-name>ORA Examples</realm-name> >> </login-config>> >> > > There is no such authentication method defined in the spec. If you > want client certificate authentication then the correct value is > CLIENT-CERT. > > Mark > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > No, I don't want client certification at the moment, only the encryption that https offers. So if I want a subdirectory (e.g. admin) of my webapp, or my entire webapp to be accessible _only_ under https what should I do? --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]