I have a Tomcat 6 server and I want just about everything to be behind SSL however I want one servlet to be accessible through non-ssl. Is it possible to configure Tomcat this way? It is currently set up to forward all requests to the secure port.
+3
A:
One way to achieve this is by editing the web.xml for your web app.
I assume you'll already have the web app set up for forcing all requests to https with <transport-guarantee> CONFIDENTIAL like below
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>tomcat</role-name>
<role-name>role1</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Now add another block below this for the servlet you wish to bypass https for.
<security-constraint>
<web-resource-collection>
<web-resource-name>Unsecured resources</web-resource-name>
<url-pattern>/jsp/openforall.jsp</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
This URL openforall.jsp alone will now be accessible via http.
Note: This URL will also still be available on https if someone accesses it that way.
JoseK
2010-07-01 08:26:47