tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lyallex <lyal...@gmail.com>
Subject Re: How to remove port number from https adress and redirect http to https
Date Mon, 09 Jul 2007 09:10:37 GMT
I forgot to mention

http://java.sun.com/j2ee/dtds/web-app_2_2.dtd

will tell you wherabouts to put the filter mapping in web.xml

Rgds
Duncan

On 7/9/07, Lyallex <lyallex@gmail.com> wrote:
> Hello
>
> You 'put' them somewhere in you package hierarchy, so for example if
> you have the package structure com.barking.mad with servlets in
> com.barking.mad.servlets then you could put them in
> com.barking.mad.servlets.filters or wherever and package them up in
> your jar or war or whatever it is you are doing when you deploy your
> application.
>
> The filter mapping goes in web.xml
>
> Rgds
> Duncan
>
> On 7/9/07, christianhau <christianhau@gmail.com> wrote:
> >
> > Thanks man :)
> >
> > About the filters, where do you implement them? I see they are in Java but
> > still don't know where to put them :) And where do you put the filter
> > mapping?
> >
> > Thanks!
> >
> >
> >
> > Lyallex wrote:
> > >
> > > Hi
> > >
> > > Ah, yes, well I'm not really an 'expert' myself but I have been through
> > > this
> > > recently.
> > >
> > > The first thing I would say is that the following looks different to my
> > > own
> > > config
> > >
> > > <url-pattern>/cas/WEB-INF/view/jsp/simple/ui</url-pattern>
> > >
> > > here is one of my constraints
> > >
> > > <security-constraint>
> > >     <display-name>Standard user constraint used for checkout and account
> > > modification</display-name>
> > >     <web-resource-collection>
> > >       <web-resource-name>my super new site</web-resource-name>
> > >       <url-pattern>/user/LoginPreCheck</url-pattern>
> > >       <url-pattern>/user/loggedin/*</url-pattern>
> > >     </web-resource-collection>
> > >     <auth-constraint>
> > >       <role-name>wpcustomer</role-name>
> > >     </auth-constraint>
> > >     <user-data-constraint>
> > >         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > >     </user-data-constraint>
> > >   </security-constraint>
> > >
> > > the url-pattern should be a relative path from the root of your
> > > application
> > > or some mapped path to a resource (experts correct me if I am wrong
> > > please).
> > > If you want everything protected then just use * (or /* I think actually).
> > >
> > > Now when a user tries this URL
> > > http://www.mywebapp.co.uk/user/loggedin/editAccount.jsp Tomcat
> > > automatically
> > > ''redirects' to https.
> > >
> > > As for the filter, well I'm a bit new to them as well. At the moment I
> > > have
> > > decided that as long as a user is logged in then I'd like the session to
> > > be
> > > secure. When they hit the logout button then I don't need secure I just
> > > need
> > > straight http.
> > >
> > > Here is my filter
> > >
> > > public class HttpsRedirectFilter implements Filter{
> > >
> > >  ...
> > >
> > >     public void doFilter(ServletRequest request, ServletResponse response,
> > > FilterChain chain) throws IOException, ServletException {
> > >         if((request instanceof HttpServletRequest) && (response instanceof
> > > HttpServletResponse)){
> > >             String redirectTarget =
> > > ((HttpServletRequest)request).getRequestURL().toString().replaceFirst("https",
> > > "http");
> > >             if(request.isSecure()){
> > >
> > > ((HttpServletResponse)response).sendRedirect(redirectTarget);
> > >             }
> > >             else{
> > >                 chain.doFilter(request, response);
> > >             }
> > >         }
> > >     }
> > >
> > >    ...
> > >
> > > Very basic and primitive I'm sure but it does the job
> > >
> > > The filter is mapped to the /logout url thus
> > >
> > >   <filter>
> > >       <filter-name>redirectFilter</filter-name>
> > >       <filter-class>com.foo.bar.baz.HttpsRedirectFilter</filter-class>
> > >   </filter>
> > >   <filter-mapping>
> > >     <filter-name>redirectFilter</filter-name>
> > >     <url-pattern>/logout</url-pattern>
> > >   </filter-mapping>
> > >
> > > Anytime anyone logs out this filter fires and redirects to 'standard'
> > > http.
> > >
> > > Now of course the filter could be a lot more sophisticated but it proved
> > > the
> > > concept to me, now all I need is that little bit of 'majik'
> > >
> > > Hope all this helps.
> > >
> > > All criticism welcome
> > >
> > > Cheers
> > > Duncan
> > >
> > >
> > > On 7/6/07, christianhau <christianhau@gmail.com> wrote:
> > >>
> > >>
> > >> Thanks man!
> > >>
> > >> I have tried a similar approach with the web.xml but no luck. This is
> > >> what
> > >> I
> > >> wrote in web.xml
> > >> <security-constraint>
> > >>                 <web-resource-collection>
> > >>                         <web-resource-name>Entire
> > >> Application</web-resource-name>
> > >>
> > >> <url-pattern>/cas/WEB-INF/view/jsp/simple/ui</url-pattern>
> > >>                 </web-resource-collection>
> > >>                 <user-data-constraint>
> > >>
> > >> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > >>                 </user-data-constraint>
> > >>         </security-constraint>
> > >>
> > >> Now I am not 100% sure if the pattern is correct, how would I check that?
> > >> And another thing, you mentioned a suitable servlet filter? How would you
> > >> go
> > >> about making a servlet filter for this purpose and where would you put
> > >> it?
> > >> As you can tell from my question I have little experience with servlet
> > >> filters..
> > >>
> > >> Thanks again :)
> > >>
> > >>
> > >>
> > >>
> > >> Lyallex wrote:
> > >> >
> > >> > Hi
> > >> >
> > >> > This is my first contribution to this list and I expect others will
> > >> have
> > >> > better ways of doing it but ...
> > >> >
> > >> > The way I managed to get his working is to set the ssl connector port
> > >> to
> > >> > the
> > >> > default ssl port (443)
> > >> > and my non-ssl connector port to the default http port (80)
> > >> > Obviously there are issues starting Tomcat on these ports on *NIX
> > >> systems
> > >> > but judging by the following
> > >> > entry in your ssl connector (keystoreFile="/root/.keystore") you appear
> > >> to
> > >> > have access to root.
> > >> >
> > >> > That should do it
> > >> >
> > >> > Also in my etc/hosts file I have set 127.0.0.1   www.mywebapp.co.uk
and
> > >> my
> > >> > app is the root web app
> > >> >
> > >> > so now, combined with the following in web.xml
> > >> >
> > >> > <security-constraint>
> > >> > ...
> > >> >      <user-data-constraint>
> > >> >         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > >> >     </user-data-constraint>
> > >> > ...
> > >> > </security-constraint>
> > >> >
> > >> > and a suitable servlet filter I can switch between http and https
> > >> almost
> > >> > at
> > >> > will with no messing about with ports just by asking for
> > >> > http://www.mywebapp.co.uk
> > >> >
> > >> > Hope this helps
> > >> >
> > >> > Cheers
> > >> > Duncan
> > >> >
> > >> >
> > >> > On 7/6/07, christianhau <christianhau@gmail.com> wrote:
> > >> >>
> > >> >>
> > >> >> Hi!
> > >> >>
> > >> >> I have set up a tomcat server with ssl that works fine as long
as I go
> > >> to
> > >> >> the adress https://adress:8443 I want to get rid of the port number,
> > >> is
> > >> >> there any easy way to do this so that tomcat understands the https
> > >> >> request
> > >> >> that comes in?
> > >> >>
> > >> >> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> > >> >> maxThreads="150" scheme="https" secure="true"
> > >> >> clientAuth="false" keystorePass="changeit" sslProtocol="TLS"
> > >> >> keystoreFile="/root/.keystore"
> > >> >> truststoreFile="/usr/lib/jvm/java-1.5.0-sun/jre/lib/security/cacerts"
> > >> />
> > >> >>
> > >> >> This is my ssl connector in my server.xml. I tried getting a redirct
> > >> from
> > >> >> http to https going but couldn't do that in tomcat alone, any
tips on
> > >> >> that
> > >> >> aswell? I have done this:
> > >> >>
> > >> >> <Connector port="8080" protocol="HTTP/1.1"
> > >> >>
> > >> >> redirectPort="8443" />
> > >> >>
> > >> >> With no luck... Thanks for any help!!
> > >> >> --
> > >> >> View this message in context:
> > >> >>
> > >> http://www.nabble.com/How-to-remove-port-number-from-https-adress-and-redirect-http-to-https-tf4034030.html#a11459871
> > >> >> Sent from the Tomcat - User mailing list archive at Nabble.com.
> > >> >>
> > >> >>
> > >> >> ---------------------------------------------------------------------
> > >> >> To start a new topic, e-mail: users@tomcat.apache.org
> > >> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > >> >> For additional commands, e-mail: users-help@tomcat.apache.org
> > >> >>
> > >> >>
> > >> >
> > >> >
> > >>
> > >> --
> > >> View this message in context:
> > >> http://www.nabble.com/How-to-remove-port-number-from-https-adress-and-redirect-http-to-https-tf4034030.html#a11462081
> > >> Sent from the Tomcat - User mailing list archive at Nabble.com.
> > >>
> > >>
> > >> ---------------------------------------------------------------------
> > >> To start a new topic, e-mail: users@tomcat.apache.org
> > >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > >> For additional commands, e-mail: users-help@tomcat.apache.org
> > >>
> > >>
> > >
> > >
> >
> > --
> > View this message in context: http://www.nabble.com/How-to-remove-port-number-from-https-adress-and-redirect-http-to-https-tf4034030.html#a11496915
> > Sent from the Tomcat - User mailing list archive at Nabble.com.
> >
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message