tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Brown" <>
Subject Re: how to auto redirect to https from http
Date Thu, 07 Feb 2008 16:14:46 GMT
Hello Dave, this is not exactly the answer you are looking for but I have been concerned with
public web security for a long time and I have finally resigned myself to the fact that if
you are using login pages that process user ids and passwords and other confidential info
that man-in-the-middle and any type of network traffic sniffing is extremely dangerous. I
run several Java apps publicly and all are 100% https/SSL all the time. It is a performance
hit but I just up the hardware to match: multi-core Linux boxes with smp and 4+ gigs mem and
other virtualization tricks as afforded by XEN and even Tomcat itself (6.0). Also please note:
JBoss is very good at multi-instance web application servers on multiple ports with only a
single machine install. If you have very serious Java web application concerns and full-time
https encryption is warrented then you might give the folks at: a call.
HTH, David.

Dave wrote ..
> Hi Chris,
>   I moved the <user-data-constraint> inside the <web-resource-collection>
as the
> following:
>        <security-constraint>
>                 <web-resource-collection>
>                         <web-resource-name>Automatic SLL Forwarding</web-resource-name>
>                         <url-pattern>/login.html</url-pattern>
>                         <user-data-constraint>
>                            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>                         </user-data-constraint>
>                 </web-resource-collection>
>         </security-constraint>
>   But  did not redirect to secure URL.
>   As you mentioned, If I start as http, then redirect to https when login,  and
> keep https after login. Does that mean https is using the http session? Is there
> any security hole? If a man-in-the-middle knows the session id from http and the
> same session id is used by https?
>   Thanks for help.
>   Dave
> Christopher Schultz <> wrote:
> Hash: SHA1
> Dave,
> Dave wrote:
> | I tried the method, it worked.
> | But when I tried to protect login page only,
> |
> | 
> | protected
> pages
> | /login.jsp
> | 
> |
> | restarted tomcat, and went to
> |
> | it was redirected to secure URL. It should stay insecure until going
> to login page.
> |
> | anything I was missing?
> Is that your entire configuration? If you've
> told Tomcat that /* should be CONFIDENTIAL, then all traffic will be
> redirected to HTTPS.
> Move the CONFIDENTIAL part into the that
> represents your login page, and leave the rest of the app non-CONFIDENTIAL.
> Remember that Tomcat will not automatically go from HTTPS to HTTP, so
> you'll have to make that happen yourself. Also remember that if your
> session id cookie was created in HTTPS mode, your browser will not send
> it back to the server when you're in HTTP mode.
> - -chris
> Version: GnuPG v1.4.8 (MingW32)
> Comment: Using GnuPG with Mozilla -
> iEYEARECAAYFAkerHyAACgkQ9CaO5/Lv0PClgACfRQm66ro0lctDvrEnA0paYC0Y
> ziIAn35jRaXBkefSfaz6l1cn9fOokmfe
> =0RZ/
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:
> ---------------------------------
> Looking for last minute shopping deals?  Find them fast with Yahoo! Search.

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message