I'm trying to add Authentication (over HTTPS) to a Struts-based web app
and am running into problems.
I can get Tomcat (5.5.26) to authenticate the user (using Basic login)
without issue, but I can't seem to get a Struts-based login form to
work. Because of the way the passwords are encrypted, I need to use a
custom login (via Struts forms) or create a new Realm (something I'd
rather not start, due to time constraints).
The intent is as follows:
For the main site: plain HTTP access
For the administration and sample submission areas, require
authentication over HTTPS
Disallow DELETE and PUT methods from all areas.
I've configured Tomcat as follows:
In web.xml
...
<security-constraint>
<display-name>Administration Methods</display-name>
<web-resource-collection>
<web-resource-name>admin methods</web-resource-name>
<description/>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin_user</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I've also added a filter to capture all requests (/*) that checks the
requested path; if that path is a "privileged" path (admin or
submission), then check that the user is authenticated and within the
specified role (as configured in the filter).
I changed the role-name to * in the above auth-constraint and removed
(commented out) the <login-config> section of web.xml.
So my question is this: how do I force HTTPS on some portions of a
Struts-based web site. With the filter, I can force authentication, but
not the HTTPS constraint.
Thanks, in advance
Gord
