3

We are trying to implement HTTPS for some pages in our application.So,we changed tomcat server.xml to make HTTPS calls as follows:

<Connector
           port="8080"
           protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443"
           acceptCount="100"
           maxKeepAliveRequests="15"
           SSLEnabled="true"
           scheme="https"
           secure="true"
     clientAuth="false" sslProtocol="TLS"
     keystoreFile="/webapps/test.bin"
           keystorePass="test"/>

In application web.xml :

<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

So,HTTPS is applying for all pages.How to restrict HTTPS for desired pages.

Help would be appreciated.

Kiran
  • 20,167
  • 11
  • 67
  • 99

3 Answers3

4

Spring Security Interceptor have a parameter requires-channel. Set this parameter to https to enforce it for the url patterns that match the interceptor.

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.4.xsd
            http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">

   <security:http>
       <security:intercept-url pattern="/login" access="permitAll"
           requires-channel="https"/>
   </security:http> 

</bean>
Ralph
  • 118,862
  • 56
  • 287
  • 383
2

Create the below class

public class RestHttpRequestFilter implements Filter {

   public void destroy() {

   }

   public void doFilter(ServletRequest servletRequest,
                ServletResponse servletResponse, FilterChain filterChain)
                throws IOException, ServletException {
     // if the ServletRequest is an instance of HttpServletRequest
     if (servletRequest instanceof HttpServletRequest) {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            System.out.println(httpServletRequest.getRequestURL());
            if (httpServletRequest.getRequestURL().toString().contains("/user/account")
                        && servletRequest.getProtocol().contains("HTTP")) {
                    throw new ResourceNotFoundException(
                            "The url should be HTTPS");
           }
       filterChain.doFilter(httpServletRequest, servletResponse);
     } else {
           // otherwise, continue on in the chain with the ServletRequest and
           // ServletResponse objects
           filterChain.doFilter(servletRequest, servletResponse);
     }  
     return;
   }

   public void init(FilterConfig filterConfig) throws ServletException {}

}

web.xml entry

    <filter>
        <filter-name>simpleFilter</filter-name>
        <filter-class>RestHttpRequestFilter</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>simpleFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
Jonathan Drapeau
  • 2,610
  • 2
  • 26
  • 32
Radh
  • 21
  • 3
1

Simple solution is using HttpFilter that will check the protocol and URL pattern and decide whether to forward the call to the application or to throw exception that will cause user to see error page.

AlexR
  • 114,158
  • 16
  • 130
  • 208
  • ok..Please can you provide the solution in detail that we can understand how to use the httpfilter. – Kiran Nov 17 '11 at 10:00