users@glassfish.java.net

Re: what are differences between making a listener https or configuring web.xml and sun-web.xml?

From: Jan Luehe <Jan.Luehe_at_Sun.COM>
Date: Thu, 05 Apr 2007 19:30:29 -0700

legolas wrote On 04/05/07 01:16 AM,:

>Hi
>I find that we can use both web.xml and sun-web.xml to make some url
>protected by SSL,
>What is differences between making a listener secure (ssl, tls) and using
>this two configuration files?
>
>

Any and all requestes received by an HTTPS listener automatically
participate in SSL, even if the resources to which they get mapped do
not exlicitly require SSL.

On the other hand, you can protect all (or a subset) of your webapp's
resources with SSL, by declaring corresponding security constraints
(that apply to one or more URL patterns) with a transport-guarantee of
CONFIDENTIAL.

If your webapp is accessible thru both HTTP and HTTPS listeners, and a
request received thru the HTTP listener is mapped to a resource that
is matched by a security constraint requiring CONFIDENTIAL transport,
the container will redirect the request to the HTTPS listener.

Likewise, any and all requests recived by an HTTPS listener that
requires client authentication will go thru an SSL handshake that
includes client auth. On the other hand, if your webapp requires
CLIENT-CERT authentication, and the request was received by an HTTPS
listener that does not automatically perform client auth, an SSL
handshake will be re-performed, this time with client auth enabled.


Jan



>Thanks
>
>