I have 3 war files deployed on my tomcat (9) server. I have recently added SSL configuration and works fine and auto-redirects all http requests to https.
The problem is that I need to redirect only some apps to https. Other(s) should work with http and https. They open as:
- https://example.com/frontApp/index.do
- https://example.com/backOne/index.do
- https://example.com/backTwo/index.do
backOne and backTwo shouldn't redirect to https.
I have tried various <url-pattern> in web.xml but nothing seems to achieve the above mentioned scenario.
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/frontApp</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/backTwo</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Have gone through a lot of questions here. This is the closest but I can't figure it out.
Sorry if answer is obvious and I can't see it. Don't have a lot of experience with tomcat.
CodePudding user response:
Put the constraint for confidential data transfer into the frontApp's web.xml. As you do not redirect the others do not put such a constraint into them. There is no need to modify the global server configuration.