This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
Ive been doing some research and i discovered that the following code put in a web.xml will force Tomcat to redirect to a https connection for certain wildcard matches, or in the below case all pages in the domain.
My question is though if only a few pages below were added to the filter such as login page and account page, https is invoked when those pages are requested, but then tomcat keeps a https connection from that point on.
Is it possible to also have filters that force tomcat to redirect to a non ssl port for some pages that do not need securing.
So based on the url pattern, Tomcat will redirect to https and then back to http?
No, that's not possible. But you can do that explicitly in the HTML by using absolute URLs starting with "http:". If you use relative URLs (which do not contain the protocol to use), then it's going to keep using HTTPS.
By the time a web request gets to the Tomcat filter, it's already passed through the network and been decrypted. So a filter can't help.
Don't make the common mistake of thinking that a web session is a continuous conversation that you can switch. The underlying HTTP(S) protocol is strictly atomic, and it's only by generous use of smoke and mirrors that we make webapps appear to have a connection from one press of the Submit button to the next.
Part of that "smoke and mirrors" is the URL that makes the next request. And as Ulf said, you can control the protocol, server, and port by shaping the URL(s) that the server for the previous request sends back in links, resource references and form submit targets.
An IDE is no substitute for an Intelligent Developer.