Hey all,
I'm interested in ensuring that a couple of pages in a webapp are only accessible via https, but I don't want to authenticate the users.
Can I do this declaratively with security-constraints. or do I need to do something programmatically?
Any help appreciated, thanks folks
(Tomcat 5.5, servlet spec 2.3 - it's a legacy thing...)
Do you have chance to place a Apache proxy in front of it? The SSL only connections would go through that and you would prevent direct access to you Tomcat instance from the outside network.
use a security-constraint and set the transport-guarantee to CONFIDENTIAL
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL Redirect</web-resource-name>
<url-pattern>*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>