If the data being displayed or entered on your website is sensitive or private, SSL should be used to ensure that third parties are not able to view the data in transit, and that data remains confidential.
If it is important that data is sent and received in its entirity and without modification, SSL can also be used to ensure the data is integral.
Tomcat, and other JSP containers can guarantee that SSL is used for certain areas of your site. This can be achieved by adding a security constraint to your web.xml file.
You can either protect your entire site, or a small section of it, such as a folder or individual page.
This is very simple, and only requires an SSL certificate, and the text below to be copy/pasted into your web.xml.
<!-- Force SSL for entire site --> <security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
<!-- Force SSL for entire site --> <security-constraint> <web-resource-collection> <web-resource-name>Members Folder</web-resource-name> <url-pattern>/members/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
<!-- Don't force SSL on notify.jsp --> <security-constraint> <web-resource-collection> <web-resource-name>Notify page, accessed internally by application</web-resource-name> <url-pattern>/notify.jsp</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <!-- Force SSL for entire site --> <security-constraint> <web-resource-collection> <web-resource-name>Entire Site</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
For SEO purposes, a 301 (Moved Permanently) status code may be preferred. Be aware that this will instruct clients that the page has permanently moved and not to bother checking the http version any longer.
Since Tomcat 7.0.70, 8.0.37, 8.5.4, there is a new attribute transportGuaranteeRedirectStatus which can be used to change the status code. This element is added to the Realm in server.xml, since the Realm is responsible for the redirect itself. In most cases, your top-level Realm will be the LockOutRealm. If you have nested Realms, you will need to add it to the relevant Realm declaration. If you don't have an existing Realm declared, the NullRealm is used by default. In this case, you will need to explicitly declare the NullRealm to add the attribute, or use the default LockOutRealm as in the example below.
Here is an example which forces the redirect to use a 301 status. Note this change goes into server.xml, not web.xml.
<Realm className="org.apache.catalina.realm.LockOutRealm" transportGuaranteeRedirectStatus="301"> <!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately available for use by the Realm. --> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" /> </Realm>