More often than not you are required to secure your login pages and certain admin resources using secured socket layer (SSL) or TLS. This can be quite a task if you go around manually redirecting all your http requests to https and then configuring your server. Whats worse is that another team member may forget to secure certain resources thereby exposing them through “un-safe” means.
The best way to secure such resources is to use the
web.xml goes something like this :
<security-constraint> <web-resource-collection> <web-resource-name>Security</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
The transport-guarantee element is what move the request to a secure location. It can have three values :
- NONE – this is the default unless explicitly stated
- INTEGRAL – data must be sent in a way that so that it cannot be changed during transmission
- CONFIDENTIAL – data must be sent in a way that it cannot be viewed during transmission (bascically, data is encrypted using SSL)
Thats it, whenever you request a URL in your webapp your browser will automatically take you to its https equivalent. The best part is that the method works in all containers, tomcat, weblogic, jboss, websphere etc etc …
No related posts.
Tags: tomcat, web, web security