Setting in Tomcat to enable SSL for certain pages

Use following setting in your web application to enable SSL for certain pages.


For example:
Certain page in the application should be accessible on https, like

SSL:

Non SSL:

This setting can be enabled at application level by specifying appropriate configuration in deployment descriptor file i.e. web.xml.

Open web.xml located inside WEB-INF folder in application. Add following code

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Non SSL</web-resource-name>        
        <url-pattern>/help</url-pattern>
  <url-pattern>/contact</url-pattern>
    </web-resource-collection>    
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>   
</security-constraint>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>SSL</web-resource-name>        
        <url-pattern>/*</url-pattern>
    </web-resource-collection>    
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

url-pattern - here you need specify the url pattern to be considered.

transport-guarantee - value in this tag manages if the mentioned url under url-pattern should be under SSL or Non SSL. if "CONFIDENTIAL" value is specified then it will be secure otherwise non SSL.


Comments

Post a Comment

Popular posts from this blog

SSO on Windows using Waffle - Java Web Application

Image
Waffle is open source API which helps in windows based authentication. If project requirements is to auto login a user with Windows login credentials then Waffle provides one option to achieve the same. Waffle supports Negotiate, NTLM and Kerberos. In this blog I will create a Java Web Project to demonstrate how to get the windows logged in credentials using Waffle. Prerequisites: Tomcat Eclipse Create a new Dynamic Web Project in eclipse.  Create Dynamic Web Project Add following jar files related to Waffle setup. commons-logging-1.1.1.jar guava-r07.jar jna.jar platform.jar waffle-jna.jar Next step will be to add the filter classes to handle SSO with windows.  Add filter class "waffle.servlet.NegotiateSecurityFilter", this class takes care of doing negotiation with windows system by invoking necessary classes with in the waffle jars.  Sample code for the same is given below for web,xml file. <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:x...
Read more

Cross domain Calls in AJAX with Jsonp

Web browser doesnot allow initiating cross domain call from javascript. There are multiple ways to initiate cross domain calls, I will be showing example on how to make cross domain call from javascript using jsonp. Using Jquery following is the way to initiate Cross Domain call. in $.ajax method, "dataType" parameter should be set to "jsonp", here jsonp means Json with padding, with jsonp a javascript code is injected in client browser, which enables code to make cross domain call. function initiateCrossDomainCall(url) { $.ajax({ dataType: 'jsonp', // json with padding type:"GET", url : url, success: function ( data) { parseResp(data); }, error: function ( data, status, error) { parseErrorResp(data, status, error) }, timeout: 2000 }); } function parseResp(data){ //add code to parse responsedata. } function parseErrorResp(data, status, error){ // parse errr resp...
Read more

Handling Cross site Scripting

Image
Typically in web application cross site scripting issue is one of the most occurring issues. Cross site scripting vulnerability occurs when hackers are able to execute script code in your application. This can happen due exploiting weakness in the application code. Like Trusting data which comes from any of the system. Lack of data filter for data cleansing before data goes inside the system. Use of Scriptlet  <%=%> for printing data in JSP without validating the data. CSS can broadly be categorized in two subsections. If hackers are able to persist their malicious code in application persistence layer (DB), and whenever any application user visits the web page, these malicious code gets executed and hacker will be able to exploit user. This type is persistent and are more dangerous.          Hacker can add dynamic redirection to some of his malicious site, and capture confidential data. As this redirection happened from the parent site user also will...
Read more