问题
I have a servlet based webapp running on Tomcat 6 server. The URL scheme is HTTPS. The entire site is currently being served on HTTPS. But what I would really like to do is setup HTTPS only for certain operations like purchase and login. Is there any configuration in Tomcat that can help me do this easily?
Are there any code changes required to persist session across HTTPS and HTTP?
回答1:
Really, ideally, this is configured in your web app's web.xml file. You simply specify certain URLs that should be secure as <security-constraint><web-resource-collection> and specify HTTPS requirement as <transport-guarantee> with value of CONFIDENTIAL. The container will manage redirects transparently. Simple.
<security-constraint>
<web-resource-collection>
<web-resource-name>My Secure Stuff</web-resource-name>
<url-pattern>/some/secure/stuff/*</url-pattern>
<url-pattern>/other/secure/stuff/*</url-pattern>
...
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
回答2:
You just need to setup a HTTP connector and all your servlet will be available on HTTP also.
For operations requiring HTTPS, you need to enforce this yourself like this,
if (!request.isSecure()) {
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}
In our case, the login URL may be typed in by user so we redirect the user to HTTPS page if HTTP URL is entered.
If you are talking about Servlet sessions (JSESSIONID), you shouldn't have any issues sharing sessions between HTTP and HTTPS since Tomcat doesn't add "secure" flag to the cookies.
来源:https://stackoverflow.com/questions/1330187/use-https-only-for-certain-pages-in-servlet-based-webapp