tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fred Blaise <chapeauro...@madpenguin.org>
Subject web.xml - <security-constraint> oddity/problem
Date Thu, 07 Oct 2004 03:56:50 GMT
Hello

I am running apache 2.0.46 with SSL with tomcat/mod_jk2, white box
linux. I do not have tomcat running SSL on 8443.

So I have this issue with my app... I am securing my app with the
<security-constraint> tag in web.xml (connected to mysql backend), 

it works perfectly with the <url-pattern>/clients.jsp</url-pattern>.
clients.jsp is a https:// uri, therefore my apache SSL is handling it,
and so is the remaining of the session (?). However, if i throw
<url-pattern>/index.jsp</url-pattern>, which is a http:// uri, then
tomcat tries to connect to port 8443 (instead of 443), where of course
it fails miserably since nothing is running there.

I guess my question is, why is tomcat trying to get to port 8443, when
none of my uri point to https://myhost:8443, but simply to
https://myhost  (which should be handled on port 443 by my apache ssl)?

I don't know if i have been very clear... I always suck at explaining my
pb :P Please ask me if I can clarify....

Thanks a lot

Best Regards

Fred


<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app
   PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
   "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>

<!-- Beginning of web.xml deployment descriptor -->

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Client login</web-resource-name>
        <url-pattern>/clients.jsp</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>

    <auth-constraint>
        <role-name>clients</role-name>
    </auth-constraint>

    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>

</security-constraint>

<login-config>

    <auth-method>FORM</auth-method>

    <form-login-config>

        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/loginError.jsp</form-error-page>

    </form-login-config>

</login-config>

<security-role>
    <role-name>clients</role-name>
</security-role>

</web-app>



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message