tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "SPIELMANN Christophe" <>
Subject Tomcat 5 with HTTPS to protect a subset of a webapp : pb url-pattern + security constraint
Date Thu, 08 Jul 2004 14:02:06 GMT

Hello there,

I use the classic Tomcat 5.0.18 without any modif.

I would like to protect a subset of my webapp. to do so, I did the following stuffs:
- I configured my Tomcat to accept SSL
- I added a security-constraint in web.xml

I am facing the following problems:

1. the url-pattern /frwk/module/admin* does not work. I don't switch to Https. With a more
simple pattern it works fine.

2. In my browser IE5.50 :-( , I got some links https://localhost:8080/framework... I then
get error with those links. I truly don't understand the logic as when I see the properties
of the page I see https://localhost:8433/framework. And My address bar is also https://localhost:8433/...
( due to a redirect ? )

3. I was expecting Tomcat to switch from http to https and then from http to https when a
page is outside the security pattern. It does not seem to be the case. It would have been
to simple I imagine.

If Any one has ever done such a thing, I would appreciate your hints.

Here are my configs:

in web.xml :

	<!-- Define a security constraint on this application -->
      <display-name>Embedded Admin Module Security</display-name>
       <!-- Define the context-relative URL(s) to be protected -->       
		    <web-resource-name>Admin module through actions</web-resource-name>
		    <web-resource-name>Admin module through Language Bar with tile as the forward</web-resource-name>
		    <web-resource-name>Admin module through Language Bar with an action as the forward</web-resource-name>
	        <!-- Anyone with one of the listed roles may access this area -->
		   <description>lets use https</description>
	<!-- Define the login configuration for this application -->
		  <realm-name>Framework Application</realm-name>
	<!-- Security roles referenced by this web application -->
    	The role that is required to log in to the Administration Application

In server.xml:

<Connector acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" port="8080"
redirectPort="8443" allowTrace="true">
    <Connector className="org.apache.coyote.tomcat5.CoyoteConnector"
           port="8443" minProcessors="5" maxProcessors="75"
           enableLookups="true" disableUploadTimeout="true"
           acceptCount="100" debug="0" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" keystorePass="tomcat" keystoreFile="c:/DGPE/jakarta-tomcat-5.0.18/certificates/keystore"

Christophe Spielmann

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message