tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: Problem moving from HTTP to HTTPS
Date Fri, 01 Sep 2006 04:49:46 GMT
Yeah, you need to delete the entire <auth-constraint>...</auth-constraint> 
to allow everyone.  However, for MSIE, you may still get problems due to the 
restricted caching headers that Tomat adds.

"Filip Hanik - Dev Lists" <devlists@hanik.com> wrote in message 
news:44F7639F.6060902@hanik.com...
> <role-name>*</role-name>  <!-- even though I have no roles configured
-->
>
> the "*" means all the roles that you have defined in web.xml, since you 
> haven't defined any roles in web.xml, there is nothing to authenticate, 
> hence its gonna deny the request
>
> Filip
>
>
> Glen Mazza wrote:
>> Hello,
>>
>> I have developed a simple web application running on Tomcat that asks for 
>> a database username and password and then returns a report in PDF. I'm 
>> *not* using any of Tomcat's security features for this--no roles for 
>> example.
>>
>> In testing it has been running fine on HTTP, but I would like it to be 
>> using HTTPS/SSL for production use, and ideally, be redirecting any user 
>> HTTP requests to HTTPS.  So I created a new keystore and activated the 
>> HTTPS/SSL connector in the server.xml file.  I also added the following 
>> security constraint to the web.xml of my web application in order to 
>> force a redirect from HTTP to HTTPS should the user enter the former:
>>
>>     <security-constraint>
>>         <web-resource-collection>
>>             <web-resource-name>thewholeapp</web-resource-name>
>>             <url-pattern>/*</url-pattern>
>>             <http-method>GET</http-method>
>>             <http-method>POST</http-method>
>>         </web-resource-collection>
>>         <auth-constraint>
>>             <role-name>*</role-name>  <!-- even though I have no roles

>> configured -->
>>         </auth-constraint>
>>         <user-data-constraint>
>>             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>         </user-data-constraint>
>>     </security-constraint>
>>
>> The redirection to the HTTPS page is working, but the HTTPS page itself 
>> is failing--I keep getting 403 error messages:  "Access to the requested 
>> resource has been denied".  Note I am *not* doing any form of container 
>> authentication--that may be the problem, as I'm relying on the DB 
>> connection string within my web application to authenticate into the 
>> database.  I get the same message if I go to the https:// URL directly 
>> and not via redirection.
>>
>> How can I get Tomcat to let every user access the HTTPS URL login page 
>> (letting the database continue to handle the subsequent authentication 
>> into the DB), preferably while still allowing for the automatic 
>> redirection from HTTP to HTTPS as listed in the above 
>> <security-constraint/>?
>>
>> Thanks,
>> Glen
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> 




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message