tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lyallex <lyal...@gmail.com>
Subject Re: How to remove port number from https adress and redirect http to https
Date Fri, 06 Jul 2007 11:14:55 GMT
Hi

Ah, yes, well I'm not really an 'expert' myself but I have been through this
recently.

The first thing I would say is that the following looks different to my own
config

<url-pattern>/cas/WEB-INF/view/jsp/simple/ui</url-pattern>

here is one of my constraints

<security-constraint>
    <display-name>Standard user constraint used for checkout and account
modification</display-name>
    <web-resource-collection>
      <web-resource-name>my super new site</web-resource-name>
      <url-pattern>/user/LoginPreCheck</url-pattern>
      <url-pattern>/user/loggedin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>wpcustomer</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

the url-pattern should be a relative path from the root of your application
or some mapped path to a resource (experts correct me if I am wrong please).
If you want everything protected then just use * (or /* I think actually).

Now when a user tries this URL
http://www.mywebapp.co.uk/user/loggedin/editAccount.jsp Tomcat automatically
''redirects' to https.

As for the filter, well I'm a bit new to them as well. At the moment I have
decided that as long as a user is logged in then I'd like the session to be
secure. When they hit the logout button then I don't need secure I just need
straight http.

Here is my filter

public class HttpsRedirectFilter implements Filter{

 ...

    public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
        if((request instanceof HttpServletRequest) && (response instanceof
HttpServletResponse)){
            String redirectTarget =
((HttpServletRequest)request).getRequestURL().toString().replaceFirst("https",
"http");
            if(request.isSecure()){

((HttpServletResponse)response).sendRedirect(redirectTarget);
            }
            else{
                chain.doFilter(request, response);
            }
        }
    }

   ...

Very basic and primitive I'm sure but it does the job

The filter is mapped to the /logout url thus

  <filter>
      <filter-name>redirectFilter</filter-name>
      <filter-class>com.foo.bar.baz.HttpsRedirectFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>redirectFilter</filter-name>
    <url-pattern>/logout</url-pattern>
  </filter-mapping>

Anytime anyone logs out this filter fires and redirects to 'standard' http.

Now of course the filter could be a lot more sophisticated but it proved the
concept to me, now all I need is that little bit of 'majik'

Hope all this helps.

All criticism welcome

Cheers
Duncan


On 7/6/07, christianhau <christianhau@gmail.com> wrote:
>
>
> Thanks man!
>
> I have tried a similar approach with the web.xml but no luck. This is what
> I
> wrote in web.xml
> <security-constraint>
>                 <web-resource-collection>
>                         <web-resource-name>Entire
> Application</web-resource-name>
>
> <url-pattern>/cas/WEB-INF/view/jsp/simple/ui</url-pattern>
>                 </web-resource-collection>
>                 <user-data-constraint>
>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>                 </user-data-constraint>
>         </security-constraint>
>
> Now I am not 100% sure if the pattern is correct, how would I check that?
> And another thing, you mentioned a suitable servlet filter? How would you
> go
> about making a servlet filter for this purpose and where would you put it?
> As you can tell from my question I have little experience with servlet
> filters..
>
> Thanks again :)
>
>
>
>
> Lyallex wrote:
> >
> > Hi
> >
> > This is my first contribution to this list and I expect others will have
> > better ways of doing it but ...
> >
> > The way I managed to get his working is to set the ssl connector port to
> > the
> > default ssl port (443)
> > and my non-ssl connector port to the default http port (80)
> > Obviously there are issues starting Tomcat on these ports on *NIX
> systems
> > but judging by the following
> > entry in your ssl connector (keystoreFile="/root/.keystore") you appear
> to
> > have access to root.
> >
> > That should do it
> >
> > Also in my etc/hosts file I have set 127.0.0.1   www.mywebapp.co.uk and
> my
> > app is the root web app
> >
> > so now, combined with the following in web.xml
> >
> > <security-constraint>
> > ...
> >      <user-data-constraint>
> >         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> >     </user-data-constraint>
> > ...
> > </security-constraint>
> >
> > and a suitable servlet filter I can switch between http and https almost
> > at
> > will with no messing about with ports just by asking for
> > http://www.mywebapp.co.uk
> >
> > Hope this helps
> >
> > Cheers
> > Duncan
> >
> >
> > On 7/6/07, christianhau <christianhau@gmail.com> wrote:
> >>
> >>
> >> Hi!
> >>
> >> I have set up a tomcat server with ssl that works fine as long as I go
> to
> >> the adress https://adress:8443 I want to get rid of the port number, is
> >> there any easy way to do this so that tomcat understands the https
> >> request
> >> that comes in?
> >>
> >> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> >> maxThreads="150" scheme="https" secure="true"
> >> clientAuth="false" keystorePass="changeit" sslProtocol="TLS"
> >> keystoreFile="/root/.keystore"
> >> truststoreFile="/usr/lib/jvm/java-1.5.0-sun/jre/lib/security/cacerts"
> />
> >>
> >> This is my ssl connector in my server.xml. I tried getting a redirct
> from
> >> http to https going but couldn't do that in tomcat alone, any tips on
> >> that
> >> aswell? I have done this:
> >>
> >> <Connector port="8080" protocol="HTTP/1.1"
> >>
> >> redirectPort="8443" />
> >>
> >> With no luck... Thanks for any help!!
> >> --
> >> View this message in context:
> >>
> http://www.nabble.com/How-to-remove-port-number-from-https-adress-and-redirect-http-to-https-tf4034030.html#a11459871
> >> Sent from the Tomcat - User mailing list archive at Nabble.com.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To start a new topic, e-mail: users@tomcat.apache.org
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/How-to-remove-port-number-from-https-adress-and-redirect-http-to-https-tf4034030.html#a11462081
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message