SSL Servlet for sensitive User-Data, NonSSL Servlet for everything else

I've got different RemoteServiceServlets. One which handles everything which has to do with User-Data. User-Data should be exchanged via a secure SSL connection.

Secondly, there is a normal Servlet which handels everything else which doesn't have to be secure.

Is there a way to declare e.g. in the web.xml file to use SSL for a special servlet and no SSL otherwise?

I'm using Apache + Tomcat. Perhaps, there is a possibility that Apach开发者_C百科e and the Rewrite-Engine or something can help me with this?

Help would be very appreciated!

All the best, Thomas

check out this link:

http://techtracer.com/2007/09/12/setting-up-ssl-on-tomcat-in-3-easy-steps/

you can define the paths which you like to to be accessed by ssl by defining these in the web.xml file (as you guessed)

<security-constraint>
  <web-resource-collection>
    <web-resource-name>securedapp</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
      <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
</security-constraint>

You only have to adjust the url-pattern.

Greets

You'll hit the Same Origin Policy if you try to use both SSL and "in the clear" requests in your app (whether the scripts are loaded from a secure or unsecure origin; so the <add-linker> suggested by Peter won't be of any help here).

Recent browsers (exception Internet Explorer, of course, or at least not without a few tricks, which in GWT are unfortunately more like hacks), with CORS, will allow you to do this, but because you'll mix secured and unsecured calls will display a nasty "unsecure" badge next to the URL.

If you need SSL for some requests, then you should use SSL everywhere. There are nowadays no reason to mix secured and unsecured requests in the same app.

Take a look at JSONP to bypass the SOP. You could create requests for user related data that are secured with SSL.