File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Tomcat and the fly likes Forcing SSL but not in web.xml -- how? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Forcing SSL but not in web.xml -- how?" Watch "Forcing SSL but not in web.xml -- how?" New topic
Author

Forcing SSL but not in web.xml -- how?

Rob Tanner
Greenhorn

Joined: Apr 10, 2009
Posts: 18
Hi,

I'm using the Google Web Toolkit (GWT) inside Eclipse to develop web applications that require a secure SSL connection. Normally (as in when writing non-GWT web applications) I would simply include a security-constraint in web.xml and be done with it. I added a self-signed certificate to the built-in Tomcat and simply told my browser to accept it and I could do my development simulating the production environment. However, working with GWT, you do your development work in hosted mode and not using a real browser and hosted mode does not like SSL. Right now, I'm simply commenting out the security-constraint in web.xml and hopefully remembering to uncomment it either when I build the war file or after I move the application o the production server. Either way, the odds that I forget that step are pretty good.

Do you know of anyway out of this predicament? Is there anyway, for example, that I can globally add a security-constraint in Tomcat, perhaps in server.xml?

Thanks,
Rob

Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

The server.xml file has explicit <Connector ...> entries for the secure and non secure ports.
You could always comment out the non-secure one.

That would globally enforce an SSL requirement.

You might also look into 'valves'.
Valves are just like servlet filters but are container wide.


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15964
    
  19

Here's a slightly different approach. If you build the app using Maven, you can use Maven's profile feature to control which copy of a web.xml gets put into the WAR.

The downside is that you have to do parallel maintenance on the 2 web.xml files and you have to remember to build using the proper profile, but that way you don't have to do esoteric things to Tomcat.


Customer surveys are for companies who didn't pay proper attention to begin with.
 
Consider Paul's rocket mass heater.
 
subject: Forcing SSL but not in web.xml -- how?
 
Similar Threads
Not enough arguments (2) passed to external.gwtOnLoad(), expected (3); your hosted mode bootstrap...
http https switch
Redirecting http to https imbedded Tomcat 4
Should I select Swing or SWT ?
GWT Dev mode Changes in the Java class is not reflecting when refresh the browser