Hello,
I have a struts2 webapp running under tomcat6 app server. The mode is https. The entire site is currently being served on https. But what I would really like to do is setup https only for certain operations like purchase and login. Is there any configuration in tomcat that can help me do this easily?
Are there any code changes required to persist session across https and http?
Thanks,
-Keshav
You just need to setup a HTTP connector and all your servlet will be available on HTTP also.
For operations requiring HTTPS, you need to enforce this yourself like this,
if (!request.isSecure()) {
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}
In our case, the login URL may be typed in by user so we redirect the user to HTTPS page if HTTP URL is entered.
If you are talking about Servlet sessions (JSESSIONID), you shouldn't have any issues sharing sessions between HTTP and HTTPS since Tomcat doesn't add "secure" flag to the cookies.
Really, ideally, this is configured in your web app's web.xml file. You simply specify certain URLs that should be secure. The container will manage redirects transparently. Simples.
<security-constraint>
<web-resource-collection>
<web-resource-name>My Secure Stuff</web-resource-name>
<url-pattern>/some/secure/stuff/*</url-pattern>
<url-pattern>/other/secure/stuff/*</url-pattern>
...
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>