Web Server: URL Rewrite to Forbid Non-SSL Requests
From Resin 4.0 Wiki
(Created page with "{{WebServer}} {{Cookbook}} === WEB-INF/resin-web.xml to require SSL for /secure === <web-app xmlns="http://caucho.com/ns/resin" xmlns:resin="urn:java:com.caucho.r...") |
|||
Line 1: | Line 1: | ||
{{WebServer}} {{Cookbook}} | {{WebServer}} {{Cookbook}} | ||
+ | |||
+ | If you have a website section that needs an SSL connection for security, you can use Resin's URL-rewriting tag for the HTTP Forbidden (403) in combination with a predicate testing for SSL connections, IfSecure. The code snippet to return a forbidden looks like the following: | ||
=== WEB-INF/resin-web.xml to require SSL for /secure === | === WEB-INF/resin-web.xml to require SSL for /secure === | ||
− | <web-app xmlns="http://caucho.com/ns/resin" | + | <web-app xmlns="<nowiki>http://caucho.com/ns/resin</nowiki>" |
xmlns:resin="urn:java:com.caucho.resin"> | xmlns:resin="urn:java:com.caucho.resin"> | ||
Line 11: | Line 13: | ||
</web-app> | </web-app> | ||
+ | |||
+ | If you want a custom error page, you can use <error-page error-code="403" location="..."/> to make the returned error page look nicer. | ||
+ | |||
+ | The Resin Web Server URL rewrite works on a rule-based system. The URL is matched first with a regular expression, and then any internal predicates are tested. | ||
+ | |||
+ | In this example, the Forbidden matches only for URLs starting with /secure, and then tests to see if the request's isSecure() is false. If the request is insecure and matches the /secure, then the Forbidden rule will match and Resin will return a 403 error page. | ||
+ | |||
+ | |||
+ | == URL redirect for insecure == | ||
+ | |||
+ | You can instead use a redirect to force the use of SSL by replacing the <resin:Forbidden> with a <resin:Redirect> as follows: | ||
+ | |||
+ | |||
+ | <web-app xmlns="<nowiki>http://caucho.com/ns/resin</nowiki>" | ||
+ | xmlns:resin="urn:java:com.caucho.resin"> | ||
+ | |||
+ | <resin:Redirect regexp="^/secure" target="https://${host.name}/secure"> | ||
+ | <resin:IfSecure value="false"/> | ||
+ | </resin:Redirect> | ||
+ | |||
+ | </web-app> | ||
+ | |||
+ | The <resin:Redirect> rule sends a redirect to the "target" location. You can either put in the explicit URL for the target, or use a Resin EL expression for the current host name, like ${host.name}. |
Revision as of 00:00, 12 January 2012
If you have a website section that needs an SSL connection for security, you can use Resin's URL-rewriting tag for the HTTP Forbidden (403) in combination with a predicate testing for SSL connections, IfSecure. The code snippet to return a forbidden looks like the following:
WEB-INF/resin-web.xml to require SSL for /secure
<web-app xmlns="http://caucho.com/ns/resin" xmlns:resin="urn:java:com.caucho.resin"> <resin:Forbidden regexp="^/secure"> <resin:IfSecure value="false"/> </resin:Forbidden> </web-app>
If you want a custom error page, you can use <error-page error-code="403" location="..."/> to make the returned error page look nicer.
The Resin Web Server URL rewrite works on a rule-based system. The URL is matched first with a regular expression, and then any internal predicates are tested.
In this example, the Forbidden matches only for URLs starting with /secure, and then tests to see if the request's isSecure() is false. If the request is insecure and matches the /secure, then the Forbidden rule will match and Resin will return a 403 error page.
URL redirect for insecure
You can instead use a redirect to force the use of SSL by replacing the <resin:Forbidden> with a <resin:Redirect> as follows:
<web-app xmlns="http://caucho.com/ns/resin" xmlns:resin="urn:java:com.caucho.resin"> <resin:Redirect regexp="^/secure" target="https://${host.name}/secure"> <resin:IfSecure value="false"/> </resin:Redirect> </web-app>
The <resin:Redirect> rule sends a redirect to the "target" location. You can either put in the explicit URL for the target, or use a Resin EL expression for the current host name, like ${host.name}.