tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Wall <d.w...@computer.org>
Subject HTTPS securing of manager web app and basic authentication
Date Thu, 13 Oct 2005 15:40:05 GMT
I've just installed TC 5.5.12 and have configured it to allow for HTTPS 
with the standard test port of 8443 and the redirect port on the 8080 
connector pointing to it.

Then, in the server/webapps/manager/WEB-INF/web.xml file, I added the 
following lines below the security constraint that comes with the webapp:

 <security-constraint>
   <web-resource-collection>
     <web-resource-name>Entire manager app</web-resource-name>
     <url-pattern>/*</url-pattern>
     <http-method>GET</http-method>
     <http-method>POST</http-method>
   </web-resource-collection>
   <user-data-constraint>
     <transport-guarantee>CONFIDENTIAL</transport-guarantee>
   </user-data-constraint>
</security-constraint>

The intent was that any URL coming into /manager/* would require SSL.  
It does seem to try to redirect, but there appears to be some sort of 
issue with that and the basic auth that comes with the manager app by 
default.  It appears to prompt me for my username and password before it 
goes into SSL mode, so my basic auth is not protected.  If I use the 
https link directly, all seems to work fine. 

In fact, when I first use the http link, it prompts me for a 
username+password.  I enter the correct values to login.  Then (because 
I've got a self-signed test cert) the browser brings up a warning about 
the cert, along with a second basic auth prompt for username+password.  
I enter the correct values again.  But it then seems to leave my browser 
on the insecure connection rather than the https one.

Is there a bug with CONFIDENTIAL/https and the basic auth routines?  It 
seems that the security constraint needs to take place with a redirect 
before anything is returned to the browser to request the basic auth.  
Or is there something I've just not configured correctly yet?

Thanks,
David

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message