Re: Tomcat cannot access the resources in an HTTPS webapp

Mon, 16 Jul 2007 04:35:23 -0700 

Hi

There seems to be an awful lot of confusion on this list about
container managed security and https ... I know I was confused when I
started with it.

As I see it the two are not really connected.

I think what you want to do is to force an https request for certain
resources in your application.

One way of doing this is to add this to your security constraint

<user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

Of course, as always, this is not the complete answer but it should
get you started.

(see http://java.sun.com/j2ee/dtds/web-app_2_2.dtd for where this goes
in web.xml)

If you were to configure the
<auth-method>FORM</auth-method> (for example)
with a suitable login form then when you attempt to access a protected
resource that has the required transport guarantee associated with it,
access to that resource will not only require a user to log in but
access to the resource itself will 'automatically' be over https.

As usual I'm sure there are other (better) ways of doing this but it
works for me.

I hope this helps.

Rgds
Duncan

On 7/16/07, Dimitris Mouchritsas <[EMAIL PROTECTED]> wrote:

Mark Thomas wrote:
> Dimitris Mouchritsas wrote:
>
>>   <login-config>
>>     <auth-method>HTTPS</auth-method>
>>     <realm-name>ORA Examples</realm-name>
>>   </login-config>> >>
>
> There is no such authentication method defined in the spec. If you
> want client certificate authentication then the correct value is
> CLIENT-CERT.
>
> Mark
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>

No, I don't want client certification at the moment, only the encryption
that https offers.
So if I want a subdirectory (e.g. admin) of my webapp, or my entire
webapp to be accessible
_only_ under https what should I do?


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to