Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
543 views
in Technique[技术] by (71.8m points)

java - SSL for specific pages/url-patterns in tomcat

I recently configured tomcat 6 with SSL and client authentication, but the only way I could do it was modifying server configuration files (web.xml, server.xml). But as I don't have full control over the deployment server, I would like to configure everything just for some pages or url-patterns of my application without modifying the main configuration files.

For example: Main server:

  • Application1 -> HTTP
  • Application2 -> HTTP
  • MyApplication -> HTTPS

If somebody knows how to do it, please tell me.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

The only way to get https going is to write the appropriate connector on the server.xml file under the <service> tag. Once you setup the connector you can access all applications in the server with http or https. The only difference is what connector gets used. Typically the connectors for http and https look like these:

<Connector port="80" protocol="HTTP/1.1"
           maxThreads="150" connectionTimeout="20000"
           redirectPort="443"
           URIEncoding="UTF-8" compression="on"/>

<Connector port="443" protocol="HTTP/1.1"
           maxThreads="150" connectionTimeout="20000"
           SSLEnabled="true" scheme="https" secure="true"
           keystoreFile="conf/.keystore"
           keystorePass="changeit"
           clientAuth="false" sslProtocol="TLS"
           URIEncoding="UTF-8" compression="on"/>

You can then force your application to always use https by adding the transport-guarantee tag to web.xml which ends up something like this:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Administrators</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>Administrators</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

You can change the transport-guarantee for the different web resources you define. Thus allowing you to protect certain parts of the site and not others.

At the very end having the connector in server.xml does not force you yo use https for all applications. It only allows the use of the https connector.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...