How to implement HTTPS for desired pages in application?

Question

We are trying to implement HTTPS for some pages in our application.So,we changed tomcat server.xml to make HTTPS calls as follows:

<Connector
           port="8080"
           protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443"
           acceptCount="100"
           maxKeepAliveRequests="15"
           SSLEnabled="true"
           scheme="https"
           secure="true"
     clientAuth="false" sslProtocol="TLS"
     keystoreFile="/webapps/test.bin"
           keystorePass="test"/>

In application web.xml :

<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

So,HTTPS is applying for all pages.How to restrict HTTPS for desired pages.

Help would be appreciated.

Answer 1

Spring Security Interceptor have a parameter requires-channel . Set this parameter to https to enforce it for the url patterns that match the interceptor.

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.4.xsd
            http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">

   <security:http>
       <security:intercept-url pattern="/login" access="permitAll"
           requires-channel="https"/>
   </security:http> 

</bean>

Answer 2

Create the below class

public class RestHttpRequestFilter implements Filter {

   public void destroy() {

   }

   public void doFilter(ServletRequest servletRequest,
                ServletResponse servletResponse, FilterChain filterChain)
                throws IOException, ServletException {
     // if the ServletRequest is an instance of HttpServletRequest
     if (servletRequest instanceof HttpServletRequest) {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            System.out.println(httpServletRequest.getRequestURL());
            if (httpServletRequest.getRequestURL().toString().contains("/user/account")
                        && servletRequest.getProtocol().contains("HTTP")) {
                    throw new ResourceNotFoundException(
                            "The url should be HTTPS");
           }
       filterChain.doFilter(httpServletRequest, servletResponse);
     } else {
           // otherwise, continue on in the chain with the ServletRequest and
           // ServletResponse objects
           filterChain.doFilter(servletRequest, servletResponse);
     }  
     return;
   }

   public void init(FilterConfig filterConfig) throws ServletException {}

}

web.xml entry

    <filter>
        <filter-name>simpleFilter</filter-name>
        <filter-class>RestHttpRequestFilter</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>simpleFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

Answer 3

简单的解决方案是使用HttpFilter来检查协议和URL模式，并决定是将转发转发给应用程序还是抛出异常，导致用户看到错误页面。