This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Tomcat and the fly likes Declarative Security & SSL Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Declarative Security & SSL" Watch "Declarative Security & SSL" New topic

Declarative Security & SSL

Michael Fitzmaurice
Ranch Hand

Joined: Aug 22, 2001
Posts: 168
Hi all

I have a web app deployed in Tomcat. I would like to declaratively secure the application such that all pages are inaccessible unless the user successfully authenticates. This is easy enough. I would also like to use HTTP form authentication over SSL - this is also easy enough. However, what I would like to do (declaratively) is to use SSL only on the login page. If I do something like this in web.xml:

This means the user cannot access any page without authenticating, but it also means all pages are being served over SSL, which is not necessary for my application. However, I do want to protect the communication of the user's credentials with SSL, hence I want to be able to specify SSL for the login page. Is this possible declaratively, and if so, how?


[ March 02, 2005: Message edited by: Michael Fitzmaurice ]

"One good thing about music - when it hits, you feel no pain" <P>Bob Marley
Rich Raposa
Ranch Hand

Joined: Dec 06, 2001
Posts: 46
I think it's as easy as putting the complete URL to the login page. Something like:

This is as opposed to just putting "/login.html" in web.xml.

Rich Raposa<br /><a href="" target="_blank" rel="nofollow"></a><br />Buy Java courseware -> get a free XBox!
Michael Fitzmaurice
Ranch Hand

Joined: Aug 22, 2001
Posts: 168
Hi Rich

Thanks for your response - I never thought to try that. Unfortunately, it doesn't seem to work; any path you put in the <form-login-page> element must start with a '/', so absolute URLs are not possible.

Does anyone else have any ideas?


I agree. Here's the link:
subject: Declarative Security & SSL
Similar Threads
Declarative security
Adding users and roles
J2EE Security
Switching from https to http - this one again