security-constraint url-pattern question
I am currently forcing my app to use https. Here is what I have in my = app web.xml file and it works as intended securedapp /* CONFIDENTIAL I also now want to restrict the browser from pulling up files in certain = directories. Search the web I see to use the following=20 = HTTP-Protected-Resource-1 Description here /path to directory/path to = directory/* GET POST These both work independently of each other. What I can=E2=80=99t = figure out is how to make them work together. When I try that, all = files are forbidden as it appears the /* = locks everything down. But without it, I cannot get tomcat to force = http to https. Can anyone help with this? Thanks, Kent Cole
Re: security-constraint url-pattern question
Chris, Thanks for the response, but I think I explained myself wrong. The http redirect to https works when I use just this entry in my web.xml securedapp /* CONFIDENTIAL But if I want to force http to https and lock the second url pattern from a browser accessing files in that directory, it locks down the entire site based on the first url-patterm /* and with out the /* the http to https does not work at the root directory of the app. securedapp /* /path to directory/* CONFIDENTIAL I can’t figure out how to force http to https and lock down a directory from being browsed. Thanks, Kent Cole > On Dec 14, 2023, at 10:09 AM, Christopher Schultz > wrote: > > Kent, > > On 12/14/23 09:13, ResSoft wrote: >> I am currently forcing my app to use https. Here is what I have in my >> app web.xml file and it works as intended >> >> >>securedapp >>/* >> >> >> CONFIDENTIAL >> >> >> I also now want to restrict the browser from pulling up files in certain = >> directories. Search the web I see to use the following=20 >> >> >> = > > I hope this is just a stray = added by your email program. If it's not, > please remove it. > >> HTTP-Protected-Resource-1 >> Description here >> /path to directory/path to = >> directory/* >> GET >> POST > > What about HEAD requests? Or PUT? Or maybe FOO? > > Don't forget that any client can try any HTTP method verb. It doesn't have to > make any sense, and most code assumes GET unless it's looking for something > else. > >> >> >> >> These both work independently of each other. What I can't >> figure out is how to make them work together. When I try that, all >> files are forbidden as it appears the /* >> locks everything down. But without it, I cannot get tomcat to force >> http to https. > > Have you set a redirectPort in your HTTP ? > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
Re: security-constraint url-pattern question
Chris, I figured out how to make this work. It works in my dev dox but not in my prod box. Both have the same version of tomcat. Here is the web.xml entry. I any ideas would be great. securedapp /* CONFIDENTIAL HTTP-Protected-Resource-1 Description here /path to directory/* GET POST Thanks, Kent Cole > On Dec 14, 2023, at 10:09 AM, Christopher Schultz > wrote: > > Kent, > > On 12/14/23 09:13, ResSoft wrote: >> I am currently forcing my app to use https. Here is what I have in my >> app web.xml file and it works as intended >> >> >>securedapp >>/* >> >> >> CONFIDENTIAL >> >> >> I also now want to restrict the browser from pulling up files in certain = >> directories. Search the web I see to use the following=20 >> >> >> = > > I hope this is just a stray = added by your email program. If it's not, > please remove it. > >> HTTP-Protected-Resource-1 >> Description here >> /path to directory/path to = >> directory/* >> GET >> POST > > What about HEAD requests? Or PUT? Or maybe FOO? > > Don't forget that any client can try any HTTP method verb. It doesn't have to > make any sense, and most code assumes GET unless it's looking for something > else. > >> >> >> >> These both work independently of each other. What I can't >> figure out is how to make them work together. When I try that, all >> files are forbidden as it appears the /* >> locks everything down. But without it, I cannot get tomcat to force >> http to https. > > Have you set a redirectPort in your HTTP ? > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > <mailto:users-unsubscr...@tomcat.apache.org> > For additional commands, e-mail: users-h...@tomcat.apache.org > <mailto:users-h...@tomcat.apache.org>
