Geek Answers Handbook

Use HTTPS only for specific pages on a servlet-based web server

I have a servlet-based webapp running on my Tomcat 6 server. The URL scheme is HTTPS. The entire site is currently hosted on HTTPS. But I would really like to install HTTPS only for certain operations, such as purchase and login. Is there any configuration in Tomcat that can help me make this easy?

Are there any code changes needed to save the session via HTTPS and HTTP?

+7
tomcat servlets
source share
2 answers

Indeed, ideally, this is configured in the web.xml file of the web application. You simply specify specific URLs that should be protected as <security-constraint><web-resource-collection> , and specify the HTTPS request as <transport-guarantee> with a value of CONFIDENTIAL . The container will manage redirection transparently. Plain.

 <security-constraint> <web-resource-collection> <web-resource-name>My Secure Stuff</web-resource-name> <url-pattern>/some/secure/stuff/*</url-pattern> <url-pattern>/other/secure/stuff/*</url-pattern> ... </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
+11
source

You just need to configure the HTTP connector, and your entire servlet will be available via HTTP.

For operations that require HTTPS, you need to force it yourself,

 if (!request.isSecure()) { response.sendError(HttpServletResponse.SC_FORBIDDEN); return; }

In our case, the login URL can be entered by the user, so we redirect the user to the HTTPS page if the HTTP URL is entered.

If you are talking about servlet sessions (JSESSIONID), you should not have a problem with a joint session between HTTP and HTTPS, because Tomcat does not add a “safe” flag to cookies.

+2
source

More articles:


All Articles