tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Wall <>
Subject Re: HTTPS securing of manager web app and basic authentication
Date Fri, 14 Oct 2005 16:06:45 GMT
Discovered my problem with adding a second security-constraint as shown 
below.  After just putting the user-data-constraint element to the 
previous security-constraint did the trick.


David Wall wrote:

> I've just installed TC 5.5.12 and have configured it to allow for 
> HTTPS with the standard test port of 8443 and the redirect port on the 
> 8080 connector pointing to it.
> Then, in the server/webapps/manager/WEB-INF/web.xml file, I added the 
> following lines below the security constraint that comes with the webapp:
> <security-constraint>
>   <web-resource-collection>
>     <web-resource-name>Entire manager app</web-resource-name>
>     <url-pattern>/*</url-pattern>
>     <http-method>GET</http-method>
>     <http-method>POST</http-method>
>   </web-resource-collection>
>   <user-data-constraint>
>     <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>   </user-data-constraint>
> </security-constraint>
> The intent was that any URL coming into /manager/* would require SSL.  
> It does seem to try to redirect, but there appears to be some sort of 
> issue with that and the basic auth that comes with the manager app by 
> default.  It appears to prompt me for my username and password before 
> it goes into SSL mode, so my basic auth is not protected.  If I use 
> the https link directly, all seems to work fine.
> In fact, when I first use the http link, it prompts me for a 
> username+password.  I enter the correct values to login.  Then 
> (because I've got a self-signed test cert) the browser brings up a 
> warning about the cert, along with a second basic auth prompt for 
> username+password.  I enter the correct values again.  But it then 
> seems to leave my browser on the insecure connection rather than the 
> https one.
> Is there a bug with CONFIDENTIAL/https and the basic auth routines?  
> It seems that the security constraint needs to take place with a 
> redirect before anything is returned to the browser to request the 
> basic auth.  Or is there something I've just not configured correctly 
> yet?
> Thanks,
> David
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message