tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James_sys" <james_...@mysparekey.co.uk>
Subject RE: Problem getting http redirected to https
Date Tue, 11 Jan 2005 10:41:44 GMT
Thanks, Mark - good point. I've attached relevant snippets from web.xml &
server.xml below.

I've also tried an equivalent configuration on Tomcat 5, jdk 1.4, Win 2k.
Interestingly, this worked fine.

My on-going quest for a solution under Tomcat 4.1, jdk 1.3, FreeBSD 4.7
threw up a couple of interesting comments from people on other groups:

- One observation was that upgrading the jdk from 1.3 to 1.4 solved the
problem (alas, not a practical option for me - I'm constrained by the
Production environment operating system, locked at FreeBSD v4.7 which can't
take jdk 1.4).
- Another observation (which I intend to investigate further today) was that
including some extra code in the web application worked around the problem.
Code snippet was:

System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.ww
w.protocol");
	Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider())

These observations, coupled with things working as expected with newer
product versions, is beginning to suggest some version compatibility problem
with Tomcat 4.1 and jdk 1.3.

Finally, I tried switching the ports to their defaults of 80 and 443, and
running the Tomcat service under root. The problem remained the same.

server.xml snippet:

    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
redirectPort="443" bufferSize="2048" serverSocketTimeout="0"
connectionUploadTimeout="300000" port="80" useBodyEncodingForURI="true"
tomcatAuthentication="true" scheme="http" connectionTimeout="20000"
enableLookups="true" secure="false"
protocolHandlerClassName="org.apache.coyote.http11.Http11Protocol" debug="0"
maxKeepAliveRequests="100" disableUploadTimeout="true" proxyPort="0"
tcpNoDelay="true" maxProcessors="75" minProcessors="5" acceptCount="100"
useURIValidationHack="false" compression="off" connectionLinger="-1">
      <Factory
className="org.apache.catalina.net.DefaultServerSocketFactory"/>
    </Connector>
    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
redirectPort="443" bufferSize="2048" serverSocketTimeout="0"
connectionUploadTimeout="300000" port="8009" useBodyEncodingForURI="true"
tomcatAuthentication="true" scheme="http" connectionTimeout="0"
enableLookups="true" secure="false"
protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler" debug="0"
maxKeepAliveRequests="100" disableUploadTimeout="false" proxyPort="0"
tcpNoDelay="true" maxProcessors="75" minProcessors="5" acceptCount="10"
useURIValidationHack="false" compression="off" connectionLinger="-1">
      <Factory
className="org.apache.catalina.net.DefaultServerSocketFactory"/>
    </Connector>
    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
redirectPort="443" bufferSize="2048" serverSocketTimeout="0"
connectionUploadTimeout="300000" port="443" useBodyEncodingForURI="true"
tomcatAuthentication="true" scheme="https" connectionTimeout="60000"
enableLookups="true" secure="true"
protocolHandlerClassName="org.apache.coyote.http11.Http11Protocol" debug="0"
maxKeepAliveRequests="100" disableUploadTimeout="true" proxyPort="0"
tcpNoDelay="true" maxProcessors="75" minProcessors="5" acceptCount="100"
useURIValidationHack="false" compression="off" connectionLinger="-1">
      <Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
rootFile="/home/james/root.pem" keystoreType="JKS" keystorePass="changeit"
clientAuth="false" randomFile="/home/james/random.pem"
keystoreFile="/home/james/.keystore" sslProtocol="TLS"/>
    </Connector>

web.xml snippet (example here is for a single page - I've also tried
url-patterns for directories, e.g. /pages/*):

    <security-constraint>
      <web-resource-collection>
        <web-resource-name>Secure</web-resource-name>
        <url-pattern>/ssl_test2.html</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
    </security-constraint>


-----Original Message-----
From: Mark Anderson [mailto:anderson@mitre.org]
Sent: 11 January 2005 02:12
To: Tomcat Users List
Subject: Re: Problem getting http redirected to https


Since it's not working right, it would help if you showed us what you did
when you "configured a security-constraint in web.xml for testPage.html".
did you do:

<user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

In CATALINA_HOME/conf/server.xml, you need to configure the HTTP conector
to redirect HTTPS to the HTTPS connector.

Do you have an HTTP connector configured in server.xml?  There are examples
in the server.xml that shipped with Tomcat.

<Connector port="8080" redirectPort="8443" ... >

<Connector port="8443" scheme="https" secure="true" sslProtocol="TLS"
keystorePass="secreted" keystoreFile="/usr/tomcat/.keystore" ... />

- Mark

James_sys wrote:
> Hi,
>
> I've been wrestling with SSL on Tomcat for a while now. Hope you can offer
> some useful pointers.
>
> My problem is around getting http requests auto-redirected to return an
> https response.
>
> I can request https://exampleServer.com:8443/testPage.html and get an
> encrypted response.
>
> However, if I request http://exampleServer.com:8080/testPage.html I see an
> HTTP 500 "internal error" message. I was expecting the server to
internally
> redirect the request to https://... and return an encrypted response.
>
> I've configured a security-constraint in web.xml for testPage.html. I've
> checked the servlet and catalina logs but don't see any errors or
warnings.
>
> I'm working with Tomcat 4.1.30 on a FreeBSD v4.7 platform. I know these
are
> old versions, but I'm constrained by other dependencies in the Production
> environment.
>
> Apologies if this is a common problem - I have checked the archives but
> didn't find what I need.
>
> Thanks for any help.
>
> Regards,
>
> James.
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>

--
Mark Anderson                                voice:703-883-6508
Networking & Distributed Systems Engineer    fax  :703-883-5864
The MITRE Corporation                        email:anderson@mitre.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message