aspose file tools*
The moose likes Tomcat and the fly likes How to set Tomcat not to have SSL for certain pages? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "How to set Tomcat not to have SSL for certain pages?" Watch "How to set Tomcat not to have SSL for certain pages?" New topic
Author

How to set Tomcat not to have SSL for certain pages?

Alan Blass
Ranch Hand

Joined: Mar 21, 2010
Posts: 120
Hi!

I have successfully setup SSL for Tomcat via https://localhost:8443/ but this is for all web applications.

Is it possible to exempt certain directories or webpages not to have SSL?

Thanks
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42611
    
  65
You would set that up in the web.xml file. At the end of this page is a short excerpt that shows which elements are involved: https://www.coderanch.com/how-to/java/ServletsFaq#security


Ping & DNS - my free Android networking tools app
Alan Blass
Ranch Hand

Joined: Mar 21, 2010
Posts: 120
Hi!

Thanks for your reply.

What I meant was to exempt a certain page in the application:

SSL:
https://localhost:8443/myApp/index.jsp
https://localhost:8443/myApp/otherpage.jsp
https://localhost:8443/myApp/sub/someother.jsp

except:

http://localhost:8080/myApp/sub/noSSL.jsp

How to I do that?

Thanks
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42611
    
  65
I see. That setting can be used to enforce SSL on certain pages, not to disallow SSL on pages. But that link should still work as is (unless you force all pages in the web app to use SSL).

What is the purpose of not using SSL for just one page?
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16250
    
  21

I do not recommend flip-flopping between SSL and non-SSL. You can end up exposing critical data, since presumably, the reason you entered SSL mode to begin with was to access secure information that would be exploitable on an open channel. And as a consequence of entering secure transport mode, Tomcat will have changed your session ID.

I haven't actually paid as much attention to the details as I might have, since this is one of these mechanisms that "just works" and there are too many other mechanisms that don't, but my impression is that once you enter SSL, you're going to stay there, even on pages not tagged for secure transport, at least unless you explicitly request otherwise (URLs beginning with "http" instead of "https"). But if you do and you manage to use the SSL-based sessionID, you will definitely have a possible exploit point.


Customer surveys are for companies who didn't pay proper attention to begin with.
Alan Blass
Ranch Hand

Joined: Mar 21, 2010
Posts: 120
Hi!

Thanks for your replies. The reason for just one page without SSL is for specific purpose which I have no control over.

BTW, I have tried:



I can access noSSL.jsp without SSL but when I access http://localhost:8080/myApp/index.jsp, I still can access it with http.

How can I force all webpages to go to SSL except noSSL.jsp?

Please help. Thanks.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42611
    
  65
You can check whether it is being accessed via SSL in the page controller (however that is implemented - you should not access JSPs directly), and do a redirect to the non-SSL URL if it is. I don't think there's a way to tell Tomcat to do that by itself. If the Tomcat is fronted by an Apache, then this would be trivial using the mod_rewrite module.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16250
    
  21

The web.xml deployment descriptor can be used to enforce SSL or permit non-SSL by writing appropriate transport guarantees paired with URL patterns. I'm not aware offhand of how application program logic could reliably determine whether the received URL came in via HTTP or HTTPS. By the time the app gets the data it's no longer encrypted (if it ever was) and I suspect that an "https" on the front of the URL can be faked, but with proper container enforcement, it doesn't matter.

URL patterns are WAR-relative resource patterns, meaning that the protocol, domain-name/ip, webapp context name, security credentials (where used), parameters and anchor offsets are all stripped off before matching. So for example, the URL http://www.coderanch.com/mywebapp/jspcontroller/hellopart#paragraph_a?action=dothis&data=that would have a WAR-relative resource pattern match on "/jspcontroller/hellopart".

I do have JSPs that are not controller-backed, but that's because they're too trivial to have business logic in them. Stuff like "Hello" pages. So it's relatively easy for me to set up useful URL patterns. Apps that jump straight into heavy processing would need a Controller.

And yet one more reason why I encourage use of the built-in J2EE container security over DIY login/access systems is that the container can handle all of this as a seamless unit.


Alan Blass
Ranch Hand

Joined: Mar 21, 2010
Posts: 120
Hi!

I finally managed to do it. Append the following to the project's web.xml:



only sub/noSSL.jsp has no SSL. All others webpages in the project has SSL.

Hope this helps someone.
 
wood burning stoves
 
subject: How to set Tomcat not to have SSL for certain pages?