tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave <javao...@yahoo.com>
Subject Re: how to auto redirect to https from http
Date Thu, 07 Feb 2008 16:01:52 GMT
Hi Chris,
   
  I moved the <user-data-constraint> inside the <web-resource-collection> as the
following:
   
       <security-constraint>
                <web-resource-collection>
                        <web-resource-name>Automatic SLL Forwarding</web-resource-name>
                        <url-pattern>/login.html</url-pattern>
                        <user-data-constraint>
                           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                        </user-data-constraint>
                </web-resource-collection>
        </security-constraint>

  But http://www.mydomain.com/login.html  did not redirect to secure URL.
   
  As you mentioned, If I start as http, then redirect to https when login,  and keep https
after login. Does that mean https is using the http session? Is there any security hole? If
a man-in-the-middle knows the session id from http and the same session id is used by https?
   
  Thanks for help.
  Dave

Christopher Schultz <chris@christopherschultz.net> wrote:
  -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave,

Dave wrote:
| I tried the method, it worked.
| But when I tried to protect login page only,
|
| 
| protected
pages
| /login.jsp
| 
|
| restarted tomcat, and went to http://www.mydomain.com
|
| it was redirected to secure URL. It should stay insecure until going
to login page.
|
| anything I was missing?

Is that your entire configuration? If you've
told Tomcat that /* should be CONFIDENTIAL, then all traffic will be
redirected to HTTPS.

Move the CONFIDENTIAL part into the that
represents your login page, and leave the rest of the app non-CONFIDENTIAL.

Remember that Tomcat will not automatically go from HTTPS to HTTP, so
you'll have to make that happen yourself. Also remember that if your
session id cookie was created in HTTPS mode, your browser will not send
it back to the server when you're in HTTP mode.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkerHyAACgkQ9CaO5/Lv0PClgACfRQm66ro0lctDvrEnA0paYC0Y
ziIAn35jRaXBkefSfaz6l1cn9fOokmfe
=0RZ/
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org



       
---------------------------------
Looking for last minute shopping deals?  Find them fast with Yahoo! Search.
Mime
  • Unnamed multipart/alternative (inline, 8-Bit, 0 bytes)
View raw message