Hi all,
I am trying to have setup my tomcat webapp to be secure for login
only. It works as you'd expect if the security-constraint for /* is
unsecure and if I make it secure (using CONFIDENTIAL) for /*.
However if I try to make it secure only for the login page and
unsecure elsewhere any attempt to go to a page redirects to the login
page but unsecure - not using the https and higher port. I've seen
comments about filters to redirect up to the https port but my
thoughts are:
1) From what I understand it should be possible with multiple
constraints for different URLs, and
2) as I only want to do this if the user is not logged in I'm not sure
how the filter would work.
I have a working https Connector because I can use the service
configured for /* to be secure.
Any offered help appreciated.
The relevant (I think) web.xml snippet is:
<security-constraint>
<web-resource-collection>
<web-resource-name>Application Login</web-resource-name>
<url-pattern>/login.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>player</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>player</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Application</realm-name>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/error.jsp</form-error-page>
</form-login-config>
</login-config>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
