j_secuity check and https

Thu, 20 Nov 2008 07:27:07 -0800 

Hi All,

I want to use j_security check with https on port 8443. I only want to
secure the login pages and not the whole application.

so ..
these pages need to be secured when accessed:
/secure/login.jsp
/secure/loginerr.jsp

everything else is secured by form based quthentication and uses an ldap
realm. 

so.. i have set up in my web xml 
  <security-constraint>
  <web-resource-collection>
                        <web-resource-name> Security</web-resource-name>
                        <description></description>
                        <url-pattern>/*</url-pattern>
                        <http-method>DELETE</http-method>
                        <http-method>GET</http-method>
                        <http-method>POST</http-method>
                        <http-method>PUT</http-method>
  </web-resource-collection>
                <auth-constraint>
                        <description></description>
                        <role-name>person</role-name>
                        
                </auth-constraint>
</security-constraint>

        <security-role>
           <description>All users who can login should be able to use this
application</description>
                   <role-name>person</role-name>
        </security-role>
        <login-config>
                <auth-method>FORM</auth-method>
                <form-login-config>
                        <form-login-page>/secure/login.jsp</form-login-page>
                        <form-error-page>/secure/loginerr.jsp</form-error-page>
                </form-login-config>
        </login-config>
        
<security-constraint>
        <web-resource-collection>
                        <web-resource-name> Security</web-resource-name>
                                <description></description>
                        <url-pattern>/secure/*</url-pattern>
                        <url-pattern>/j_security_check</url-pattern>
                        <url-pattern>/secure/j_security_check</url-pattern>
                        <url-pattern>/j_security_check</url-pattern>
                        <http-method>DELETE</http-method>
                        <http-method>GET</http-method>
                        <http-method>POST</http-method>
                        <http-method>PUT</http-method>
        </web-resource-collection>
        <user-data-constraint>
                        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
</security-constraint>

The problem is when i hit the application where i have form authentication
connection to LDAP, it uses the /secure/login.jsp page, because j_security
check redirects to this page.

but it is not forced at https, because the url pattern doesn't match. So how
can I forced the login.jsp page to be https! I don't want my ldap user
password floating around out there.
-- 
View this message in context: 
http://www.nabble.com/j_secuity-check-and-https-tp20603453p20603453.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to