I'm interested in ensuring that a couple of pages in a we开发者_运维技巧bapp are only accessible via https, but I don't want to authenticate the users.
Can I do this declaratively with security-constraints. or do I need to do something programmatically?
Any help appreciated, thanks folks
(Tomcat 5.5, servlet spec 2.3 - it's a legacy thing...)
use a security-constraint
and set the transport-guarantee
to CONFIDENTIAL
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL Redirect</web-resource-name>
<url-pattern>*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>
Servlet 2.3 Spec
Do you have chance to place a Apache proxy in front of it? The SSL only connections would go through that and you would prevent direct access to you Tomcat instance from the outside network.
精彩评论