3). As is typical with servlet-managed
security, this approach is more portable but requires significantly more effort.
The use of SSL in programmatic security may require one or more of the following
capabilities not needed in normal programmatic security:
??? Determining if SSL is in use.
??? Redirecting non-SSL requests.
??? Discovering the number of bits in the key.
??? Looking up the encryption algorithm.
??? Accessing client X.509 certificates.
Details on these capabilities follow.
Determining If SSL Is in Use
The ServletRequest interface provides two methods that let you find out if SSL
is in use. The getScheme method returns "http" for regular requests and
"https" for SSL requests. The isSecure method returns false for regular
requests and true for SSL requests.
Redirecting Non-SSL Requests
With container-managed security, you can use the transport-guarantee subelement
of user-data-constraint to ensure that the server redirects regular
(http) requests to the SSL (https) equivalent. See Section 3.5 (Configuring Tomcat to
Use SSL) for details.
In programmatic security, you might want to explicitly do what the server automatically
does with container-managed security. Once you have a URL, redirection is
straightforward: use response.sendRedirect.
The difficulty is in generating the URL in the first place. Unfortunately, there is
no built-in method that says ???give me the complete incoming URL with http changed
to https.
Pages:
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244