brabster
Reputation: 43560
Setup SSL for form login only on Tomcat webapp
Can I set Tomcat (or my webapp if it's done that way) to require SSL for confidentiality of the built-in Form-Based Login mechanism?
i.e. to protect the users credentials, and use standard http for any other transactions?
Upvotes: 1
Views: 2582
Answers (1)
ZZ Coder
Reputation: 75456
You can put your login forms in its own directory and just require SSL for the directory,
<security-constraint>
<display-name>Login Pages</display-name>
<web-resource-collection>
<web-resource-name>Login</web-resource-name>
<url-pattern>/login/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Make sure your login form is in this path,
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login/form_login.jsp</form-login-page>
<form-error-page>/login/error.jsp</form-error-page>
</form-login-config>
</login-config>
Of course, you need to have a SSL connector setup on your Tomcat.
Upvotes: 4
Related Questions
- Tomcat Client Authentication using SSL
- SSL implementation in Spring Security Form Login Tomcat
- Secure https url from tomcat server
- Tomcat 6 Ssl and Form authentication side by side
- Tomcat + SSL configuration + Client
- Web Application under Tomcat with SSL
- Limit SSL just for Login Page
- Server to Client SSL Encryption w/o SSL Authentication - Tomcat & Spring
- Configuring SSL with tomcat
- How to ensure SSL-only access without authorising in Java webapp?