Dear Resin-Interest members:
We have Apache <-mod_caucho-> Resin combination running. Normally, Apache
is configured to use SSL so that when request comes in to apache as https://
is does the SSL decoding/encoding and talks to Resin using clear text.
Now, we are thinking of using transport-guarantee of type CONFIDENTIAL to
protect certain transmit of sensitive data. I have used the security
constraint as follows inside of resin.conf:
<security-constraint>
<web-resource-collection>
<url-pattern>/public/signin.jsp</url-pattern>
</web-resource-collection>
<user-data-constraint transport-guarantee="CONFIDENTIAL"/>
</security-constraint>
Indeed, trying to access signin.jsp via http:// produces a file not found,
and using https:// works correctly. However, the url does not automatically
switch to https when user attempts to access signin.jsp.
I have talked to some people who use TomCat and they mentioned that there is
a mechanism that tomcat uses to redirect users to https:// if CONFIDENTIAL
transport-guarantee is required to access the page.
Is there anything that Resin does which is similar to this? I am trying to
avoid having to hardcode
https://www.server.com/applicationcontext/public/signin.jsp and somehow
continue using /public/signin.jsp as a relative argument (since I don't
really know what context the application will be deployed in).
I would like to achieve two goals:
1. Protect transmission of certain sensitive data
2. Avoid having to hardcode absolute path in some anchor links
If there is a better way of doing this with Resin, other than using
CONFIDENTIAL transport-guarantee, that would be acceptable as well.
-AP_
Received on Wed 27 Feb 2002 21:58:59 -0800
This archive was generated by hypermail 2.1.8 : Thu Sep 28 2006 - 20:16:57 PDT