Forcing SSL but not in web.xml -- how?

Hi,

I'm using the Google Web Toolkit (GWT) inside Eclipse to develop web applications that require a secure SSL connection. Normally (as in when writing non-GWT web applications) I would simply include a security-constraint in web.xml and be done with it. I added a self-signed certificate to the built-in Tomcat and simply told my browser to accept it and I could do my development simulating the production environment. However, working with GWT, you do your development work in hosted mode and not using a real browser and hosted mode does not like SSL. Right now, I'm simply commenting out the security-constraint in web.xml and hopefully remembering to uncomment it either when I build the war file or after I move the application o the production server. Either way, the odds that I forget that step are pretty good.

Do you know of anyway out of this predicament? Is there anyway, for example, that I can globally add a security-constraint in Tomcat, perhaps in server.xml?

Thanks,
Rob

The server.xml file has explicit <Connector ...> entries for the secure and non secure ports.
You could always comment out the non-secure one.

That would globally enforce an SSL requirement.

You might also look into 'valves'.
Valves are just like servlet filters but are container wide.

Here's a slightly different approach. If you build the app using Maven, you can use Maven's profile feature to control which copy of a web.xml gets put into the WAR.

The downside is that you have to do parallel maintenance on the 2 web.xml files and you have to remember to build using the proper profile, but that way you don't have to do esoteric things to Tomcat.