How to set Tomcat not to have SSL for certain pages?

Hi!

I have successfully setup SSL for Tomcat via https://localhost:8443/ but this is for all web applications.

Is it possible to exempt certain directories or webpages not to have SSL?

Thanks

You would set that up in the web.xml file. At the end of this page is a short excerpt that shows which elements are involved: https://coderanch.com/how-to/java/ServletsFaq#security

Hi!

Thanks for your reply.

What I meant was to exempt a certain page in the application:

SSL:
https://localhost:8443/myApp/index.jsp
https://localhost:8443/myApp/otherpage.jsp
https://localhost:8443/myApp/sub/someother.jsp

except:

http://localhost:8080/myApp/sub/noSSL.jsp

How to I do that?

Thanks

I see. That setting can be used to enforce SSL on certain pages, not to disallow SSL on pages. But that link should still work as is (unless you force all pages in the web app to use SSL).

What is the purpose of not using SSL for just one page?

I do not recommend flip-flopping between SSL and non-SSL. You can end up exposing critical data, since presumably, the reason you entered SSL mode to begin with was to access secure information that would be exploitable on an open channel. And as a consequence of entering secure transport mode, Tomcat will have changed your session ID.

I haven't actually paid as much attention to the details as I might have, since this is one of these mechanisms that "just works" and there are too many other mechanisms that don't, but my impression is that once you enter SSL, you're going to stay there, even on pages not tagged for secure transport, at least unless you explicitly request otherwise (URLs beginning with "http" instead of "https"). But if you do and you manage to use the SSL-based sessionID, you will definitely have a possible exploit point.

Hi!

Thanks for your replies. The reason for just one page without SSL is for specific purpose which I have no control over.

BTW, I have tried:

<security-constraint> <web-resource-collection> <web-resource-name>SSL Free Page</web-resource-name> <url-pattern>/myApp/sub/noSSL.jsp </url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

I can access noSSL.jsp without SSL but when I access http://localhost:8080/myApp/index.jsp, I still can access it with http.

How can I force all webpages to go to SSL except noSSL.jsp?

Please help. Thanks.

You can check whether it is being accessed via SSL in the page controller (however that is implemented - you should not access JSPs directly), and do a redirect to the non-SSL URL if it is. I don't think there's a way to tell Tomcat to do that by itself. If the Tomcat is fronted by an Apache, then this would be trivial using the mod_rewrite module.

The web.xml deployment descriptor can be used to enforce SSL or permit non-SSL by writing appropriate transport guarantees paired with URL patterns. I'm not aware offhand of how application program logic could reliably determine whether the received URL came in via HTTP or HTTPS. By the time the app gets the data it's no longer encrypted (if it ever was) and I suspect that an "https" on the front of the URL can be faked, but with proper container enforcement, it doesn't matter.

URL patterns are WAR-relative resource patterns, meaning that the protocol, domain-name/ip, webapp context name, security credentials (where used), parameters and anchor offsets are all stripped off before matching. So for example, the URL https://coderanch.com/mywebapp/jspcontroller/hellopart#paragraph_a?action=dothis&data=that would have a WAR-relative resource pattern match on "/jspcontroller/hellopart".

I do have JSPs that are not controller-backed, but that's because they're too trivial to have business logic in them. Stuff like "Hello" pages. So it's relatively easy for me to set up useful URL patterns. Apps that jump straight into heavy processing would need a Controller.

And yet one more reason why I encourage use of the built-in J2EE container security over DIY login/access systems is that the container can handle all of this as a seamless unit.

Hi!

I finally managed to do it. Append the following to the project's web.xml:

<security-constraint> <web-resource-collection> <web-resource-name>SSL Free Page</web-resource-name> <url-pattern>/sub/noSSL.jsp</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>SSL Pages</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

only sub/noSSL.jsp has no SSL. All others webpages in the project has SSL.

Hope this helps someone.