Once I observed that the web server brought me into an SSL channel after my clicking a link on a page which is accessed via a Non-SSL channel.
I wondered how it did this at that time.
In fact it is so easy to implement this using Java. The only thing you need to set is the transport-guarantee in web.xml.
Below is a sample web.xml. <!-- This resource can only be accessed by those client who can present an trusted client certificate --> <security-constraint> <web-resource-collection> <web-resource-name>Resource protected by client cert</web-resource-name> <url-pattern>/ProtectedByClientCert</url-pattern> </web-resource-collection> <auth-constraint> <role-name>members</role-name> </auth-constraint> <!-- Here We specify accesses to this resource must be over an SSL channel The container will automatically use https to access this resource. --> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
<login-config> <auth-method>CLIENT-CERT</auth-method> <realm-name>Client Cert Users-only Area</realm-name> </login-config>
However, you must first enable the secure port of the web container. In above example you also need to make CLIENT-CERT work first. |
|
来自: digitaldreamer > 《tomcat》