tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: Tomcat 4.0 redirectPort question, how to redirect to SSL?
Date Thu, 19 Jul 2001 22:59:37 GMT


On Wed, 18 Jul 2001, Jonathan Eric Miller wrote:

> I read in another message that was posted to this list that you can use the
> redirectPort variable in server.xml for a connector to have a non-SSL
> connection redirected to a SSL connection?
> 
> Can someone tell me what other settings I need to use in order to get this
> to work?
> 
> Basically, what I want to do is make it so that all connections using
> http:// get redirected to https://. i.e. I want to require SSL. However, I
> still want the Web server to listen on port 80 that way if I use forgets to
> enter the 's' at the end of https they will still get to the right place.

The scenario to make this work goes as follows (Tomcat standalone only -- 
I haven't tried any of this through the web connector):

- Configure your conf/server.xml file appropriately.  That means you must
  define a non-ssl <Connector> and an ssl <Connector> inside the same
  <Service> element (so that the two connectors share the same set of
  virtual hosts and web apps.  An example might look like this:

    <Service ...>

      <Connector port="8080" redirectPort="8443" ... />  <!-- Non-SSL -->
      <Connector port="8443" ... />                      <!-- SSL -->

      <Engine ... />

    </Service>

- Note in the above we have declared on the non-SSL port (8080) that the
  corresponding SSL port talking to the same applications is 8443.  You
  can (of course) modify the port numbers to suit your needs.

- In the deployment descriptor for your web app (/WEB-INF/web.xml),
  create a security constraint that contains a "transport guarantee"
  that requires SSL.  To do this for an entire web app, something like
  the following works:

    <security-constraint>
      <web-resource-collection>
        <web-resource-name>Entire Web App</web-resource-name>
        <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
    </security-constraint>

- Now, whenever a user accesses any non-SSL url within your app, like:

    http://myhost:8080/myapp/foo/bar.jsp

  they will be transparently redirected (by the container) to:

    https://myhost:8443/myapp/foo/bar.jsp

  (keeping any current session, if there is one).

- Note that you don't *have* to protect the entire web app as we did
  in the example above.  For instance, in a shopping cart you might
  only want to do this on the check-out page where you ask for the
  credit card number.  You would do this by specifying a <url-pattern>
  that only covered your checkout pages.  See the servlet spec for
  details on legal URL patterns.

> 
> Ideally, I would also like to require 128-bit encryption as well,

On an SSL connection (under Servlet 2.3) there are two new request
attributes that are set by the container on SSL requests:

- javax.servlet.request.cipher_suite - Name of the SSL cipher suite
  that was used to establish this SSL session

- javax.servlet.request.key_size - Number of bits in the key used for
  this cipher suite algorithm.

Thus, it would be very easy to write application code that checks the key
size and rejects the request if it's less than 128 bits.  To avoid
polluting your actual application code, this would be a good thing to
implement as a Filter (using the Filter API added in servlet 2.3).

> but, if
> anyone can answer the question about redirection, I would be greaty
> appreciative.
> 
> Anyone know how to do this?
> 
> Also, I'm wondering if the variables and values for web.xml and server.xml
> are documented somewhere? For example, I'm thinking that maybe there is a
> <security-constraint> setting that you may need to use that specifies that
> access to a servlet needs to be over SSL or something?
> 

The legal contents of the web.xml file are documented in the Servlet
Specification (http://java.sun.com/products/servlet/download.html).  
These are portable across all compliant servlet containers.  Tomcat 4.0
beta 6 (to be released tonight) implements the "Version 2.3 Proposed Final
Draft 3" version of the spec.

About 90% of the server.xml stuff (for Tomcat 4.0 only) is documented and
visible through Tomcat once you get it running.  Follow the links "General
Tomcat User Documentation" --> "Server Configuration" and click the links
for the xml element you are interested in, like <Context>.  One big thing
that's missing is a "User's Guide" approach to this information, but at
least the majority of the reference material is available here.

> Jon
> 
> 
> 

Craig McClanahan



Mime
View raw message