tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Klotz Jr, Dennis" <DKl...@empirix.com>
Subject web.xml question
Date Tue, 29 Nov 2005 15:26:48 GMT
Hello all. I hope your day is going well.

I need your help.

I cannot get a forms based login page to use SSL when I think I've setup
the web.xml correctly. 

Why doesn't my login.jsp use HTTPS when tomcat is invoking it for
authorization? (more details at the bottom)

Here are the relevant sections of my web.xml:

-----------------------------------------

<!-- BEGIN_LOGIN_SECURITY -->
   <security-constraint>
    <web-resource-collection>
      <web-resource-name>Login page</web-resource-name>
      <url-pattern>/login.jsp</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>

    <!--   Enable this for SSL -->

    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL
      </transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <!-- END_LOGIN_SECURITY -->

  <!-- ======================================= -->

  <!-- LOGIN AUTHENTICATION -->
  <!-- Form authentaication requires SSL -->
       <login-config>
           <auth-method>FORM</auth-method>
           <realm-name>Application</realm-name>
           <form-login-config>
               <form-login-page>/login.jsp</form-login-page>
               <form-error-page>/error_401.html</form-error-page>
           </form-login-config>
       </login-config>



  <security-constraint>
    <web-resource-collection>
      <web-resource-name>VoIP Monitor Applications</web-resource-name>
      <url-pattern>/CallQDiagnostics.jsp</url-pattern>
      <url-pattern>/report_index.jsp</url-pattern>
      <url-pattern>/CallQAnalysis.jsp</url-pattern>
      <url-pattern>/index.jsp</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>

    <auth-constraint>
      <role-name>monitor_tier1</role-name>
      <role-name>monitor_guest</role-name>
      <role-name>monitor_admin</role-name>
      <role-name>monitor_tier3</role-name>
    </auth-constraint>

    <!--   Enable this for SSL -->

    <user-data-constraint>
      <transport-guarantee>NONE
      </transport-guarantee>
    </user-data-constraint>

  </security-constraint>

----------------------------------------------------------

So here is what happens. I type the full URL to the CallQAnalsysis.jsp
(for example) and the login.jsp is invoked BUT it has NOT been
redirected to the HTTPS connector (which is enabled and working).

Now if I type the address of the login.jsp directly, then the connection
is redirected over HTTPS. 

Why doesn't the login.jsp use HTTPS when tomcat is invoking it for
authorization?

Any help figuring out what I am doing wrong is greatly appreciated.


Sincerely,

Dennis Klotz

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message