brabster
Reputation: 43560
How to ensure SSL-only access without authorising in Java webapp?
I'm interested in ensuring that a couple of pages in a webapp are only accessible via https, but I don't want to authenticate the users.
Can I do this declaratively with security-constraints. or do I need to do something programmatically?
Any help appreciated, thanks folks
(Tomcat 5.5, servlet spec 2.3 - it's a legacy thing...)
Upvotes: 2
Views: 221
Answers (2)
John Weldon
Reputation: 40749
use a security-constraint and set the transport-guarantee to CONFIDENTIAL
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL Redirect</web-resource-name>
<url-pattern>*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>
Upvotes: 4
Petteri H
Reputation: 12212
Do you have chance to place a Apache proxy in front of it? The SSL only connections would go through that and you would prevent direct access to you Tomcat instance from the outside network.
Upvotes: 1
Related Questions
- Tomcat Client Authentication using SSL
- Tomcat + SSL configuration + Client
- configure tomcat for client authentication only for specific URL patterns
- Client authentication in server Tomcat
- Tomcat - Two Way SSL as Server
- Enable Tomcat clientAuth only for certain URLs
- Server to Client SSL Encryption w/o SSL Authentication - Tomcat & Spring
- Using https only when user is logged in not otherwise in web app
- client/certificate authentication by server in tomcat
- Setup SSL for form login only on Tomcat webapp