Menu
I have a servlet based webapp running on Tomcat 6 server. The URL scheme is HTTPS. The entire site is currently being served on HTTPS. But what I would really like to do is setup HTTPS only for certain operations like purchase and login. Is there any configuration in Tomcat that can help me do this easily?
Are there any code changes required to persist session across HTTPS and HTTP?
282
Really, ideally, this is configured in your web app's web.xml file. You simply specify certain URLs that should be secure as <security-constraint><web-resource-collection> and specify HTTPS requirement as <transport-guarantee> with value of CONFIDENTIAL. The container will manage redirects transparently. Simple.
<security-constraint>
<web-resource-collection>
<web-resource-name>My Secure Stuff</web-resource-name>
<url-pattern>/some/secure/stuff/*</url-pattern>
<url-pattern>/other/secure/stuff/*</url-pattern>
...
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
You just need to setup a HTTP connector and all your servlet will be available on HTTP also.
For operations requiring HTTPS, you need to enforce this yourself like this,
if (!request.isSecure()) {
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}
In our case, the login URL may be typed in by user so we redirect the user to HTTPS page if HTTP URL is entered.
If you are talking about Servlet sessions (JSESSIONID), you shouldn't have any issues sharing sessions between HTTP and HTTPS since Tomcat doesn't add "secure" flag to the cookies.
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
