Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
For Servlet security, I read that in web.xml we can declare
<auth-constraints> and <user-data-constraint>
for turning on the SSL and for authentication purposes. But so far I personally haven’t seen any of these declarations in real life web.xml’s (apps running on Tomcat, Glassfish)
So I wonder what are the substitute ways of achieving these goals? and which way is preferred?
Depends strongly on the used application server, but in general there is no way to make application server to expose the application using SSL without enabling it on the level of the AS (not the deployment descriptor).
For instance for Tomcat, the SSL connector (default port 8443) has to be enabled in
server.xml. You may then use Apache (httpd) as a reverse proxy usingmod_proxyormod_jk.In the code you may use
ServletFilterto intercept all the requests and if the communication is not on top of SSL, you may redirect the user to some login page.