1 Reply Latest reply on May 23, 2008 5:25 AM by Vackar

    Tomcat HTTPS SSL Authetication (WITH SECURITY CONSTRAINT)

    Vackar Level 2
      Hi all,

      I have a flex application which emedded into a page which is protected using container managed authentication

      The contraint look like this
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>main</web-resource-name>
      <url-pattern>/pages/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>*</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>folioTracker</web-resource-name>
      <url-pattern>/pages/folioTracker/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>projects-admin</role-name>
      <role-name>projects-user</role-name>
      <role-name>portal-admin</role-name>
      </auth-constraint>
      </security-constraint>

      When I try to access https://server/appName/pages/folioTracker/nameOfPage.ext from Firefox it works fine, but when I try to access it from IE the flash file doesn't load. The strange this is that if I remove the security contraints it works fine.

      Any help would be much appreciated

        • 1. Re: Tomcat HTTPS SSL Authetication (WITH SECURITY CONSTRAINT)
          Vackar Level 2
          Right for anyone elso who has this problem, do this: (found it in a google group)

          quote:


          I figured out what the main issue is to the problem. It's a general issue in IE
          http://support.microsoft.com/kb/812935 that when using HTTPS to download files
          the response header can't contain "Cache-Control : no-cache", or
          "Cache-Control: no-store". By default in tomcat the Cache-Control response
          header is no-cache.

          So I created a filter in my web.xml file for my app to change the headers when
          loading *.swf files.

          Here is what I added to my web.xml:
          <filter>
          <filter-name>IESSLCacheIssue</filter-name>
          <filter-class>com.myCompany.filter.ResponseHeaderFilter</filter-class>
          <init-param>
          <param-name>Pragma</param-name>
          <param-value>public</param-value>
          </init-param>
          <init-param>
          <param-name>Cache-Control</param-name>
          <param-value>no-transform,max-age=0</param-value>
          </init-param>
          </filter>

          <filter-mapping>
          <filter-name>IESSLCacheIssue</filter-name>
          <url-pattern>*.swf</url-pattern>
          </filter-mapping>

          And here is my com.myCompany.filter.ResponseHeaderFilter class

          package com.myCompany.filter;

          import java.io.IOException;
          import java.util.Enumeration;

          import javax.servlet.Filter;
          import javax.servlet.FilterChain;
          import javax.servlet.FilterConfig;
          import javax.servlet.ServletException;
          import javax.servlet.ServletRequest;
          import javax.servlet.ServletResponse;
          import javax.servlet.http.HttpServletResponse;

          public class ResponseHeaderFilter implements Filter {

          private FilterConfig filterConfig;

          public void destroy() {
          // TODO Auto-generated method stub

          }

          @SuppressWarnings("unchecked")
          public void doFilter(ServletRequest request, ServletResponse response,
          FilterChain filterChain) throws IOException, ServletException {
          HttpServletResponse httpResponse = (HttpServletResponse)response;

          Enumeration<String> initParameterNames =
          filterConfig.getInitParameterNames();

          while (initParameterNames.hasMoreElements()) {
          String headerName = initParameterNames.nextElement();
          String headerValue = filterConfig.getInitParameter(headerName);
          httpResponse.setHeader(headerName, headerValue);
          }

          filterChain.doFilter(request, httpResponse);
          }

          public void init(FilterConfig filterConfig) throws ServletException {
          this.filterConfig = filterConfig;
          }

          }