开发者

How to ensure SSL-only access without authorising in Java webapp?

开发者 https://www.devze.com 2022-12-13 09:33 出处：网络

I\'m interested in ensuring that a couple of pages in a we开发者_运维技巧bapp are only accessible via https, but I don\'t want to authenticate the users.

相关专题：ssl tomcat

I'm interested in ensuring that a couple of pages in a we开发者_运维技巧bapp are only accessible via https, but I don't want to authenticate the users.

Can I do this declaratively with security-constraints. or do I need to do something programmatically?

Any help appreciated, thanks folks

(Tomcat 5.5, servlet spec 2.3 - it's a legacy thing...)

use a security-constraint and set the transport-guarantee to CONFIDENTIAL

<security-constraint>
    <web-resource-collection>
        <web-resource-name>SSL Redirect</web-resource-name>
        <url-pattern>*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL
        </transport-guarantee>
    </user-data-constraint>
</security-constraint>

Servlet 2.3 Spec

Do you have chance to place a Apache proxy in front of it? The SSL only connections would go through that and you would prevent direct access to you Tomcat instance from the outside network.