Meaningless Drivel is fun!*
The moose likes Tomcat and the fly likes Tomcat filters Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat filters" Watch "Tomcat filters" New topic

Tomcat filters

Mark Hughes
Ranch Hand

Joined: Jul 14, 2006
Posts: 146
Hi Guys,

Ive been doing some research and i discovered that the following code put in a web.xml will force Tomcat to redirect to a https connection for certain wildcard matches, or in the below case all pages in the domain.
My question is though if only a few pages below were added to the filter such as login page and account page, https is invoked when those pages are requested, but then tomcat keeps a https connection from that point on.
Is it possible to also have filters that force tomcat to redirect to a non ssl port for some pages that do not need securing.

So based on the url pattern, Tomcat will redirect to https and then back to http?

Mark Hughes
Mark Hughes
Ranch Hand

Joined: Jul 14, 2006
Posts: 146
Hey Guys,

Any takers on this?
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 41180
No, that's not possible. But you can do that explicitly in the HTML by using absolute URLs starting with "http:". If you use relative URLs (which do not contain the protocol to use), then it's going to keep using HTTPS.

Ping & DNS - my free Android networking tools app
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15964

By the time a web request gets to the Tomcat filter, it's already passed through the network and been decrypted. So a filter can't help.

Don't make the common mistake of thinking that a web session is a continuous conversation that you can switch. The underlying HTTP(S) protocol is strictly atomic, and it's only by generous use of smoke and mirrors that we make webapps appear to have a connection from one press of the Submit button to the next.

Part of that "smoke and mirrors" is the URL that makes the next request. And as Ulf said, you can control the protocol, server, and port by shaping the URL(s) that the server for the previous request sends back in links, resource references and form submit targets.

Customer surveys are for companies who didn't pay proper attention to begin with.
Mark Hughes
Ranch Hand

Joined: Jul 14, 2006
Posts: 146
cool thanks guys, that makes sense.

Mark Hughes
It is sorta covered in the JavaRanch Style Guide.
subject: Tomcat filters
Similar Threads
Toggling from http to https using filters in Tomcat
http https switch
HttpServletRequest - RequestDispatcher - Forward - is not using Constraint
Can�t get SSL redirection to work for root application context.