Return-Path: 
 <users-return-191059-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 61545 invoked from network); 4 Feb 2009 11:17:40 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 4 Feb 2009 11:17:40 -0000
Received: (qmail 82582 invoked by uid 500); 4 Feb 2009 11:17:26 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 82558 invoked by uid 500); 4 Feb 2009 11:17:25 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 82547 invoked by uid 99); 4 Feb 2009 11:17:25 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Feb 2009 03:17:25 -0800
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: local policy)
Received: from [195.197.172.115] (HELO gw01.mail.saunalahti.fi)
 (195.197.172.115)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Feb 2009 11:17:15 +0000
Received: from AIMODUAL (firepii.dbmanager.fi [195.197.253.242])
	by gw01.mail.saunalahti.fi (Postfix) with ESMTP id 9D75B1514D6
	for <users@tomcat.apache.org>; Wed,  4 Feb 2009 13:16:53 +0200 (EET)
From: "Jaakko Taipale" <jaakko.taipale@dbmanager.fi>
To: "'Tomcat Users List'" <users@tomcat.apache.org>
References: <1F56A2435C7548FFB117C74AE7C40292@DBM.local>
 	<0AAE5AB84B013E45A7B61CB66943C17215B5E82C0D@USEA-EXCH7.na.uis.unisys.com>
 <5AA395C68E5C409FAE3C2653C97E02D1@DBM.local>
 <0AAE5AB84B013E45A7B61CB66943C17215B600B91B@USEA-EXCH7.na.uis.unisys.com>
Subject: VS: Tomcat configuration with multiple services
Date: Wed, 4 Feb 2009 13:15:35 +0200
Message-ID: <39292F56A880472B8026021719F51FC9@DBM.local>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: 
 <0AAE5AB84B013E45A7B61CB66943C17215B600B91B@USEA-EXCH7.na.uis.unisys.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
Thread-Index: Acl9QErz+dEKiWoLSb+35jxOTuyLhQH1ImGAAA0GS5AAIlPzIAAOoy7QACrrAjA=
X-Virus-Checked: Checked by ClamAV on apache.org

Thanks for advices, <transport-guarantee> 'tip' was exactly what I need. =
I
have now following configuration:

server.xml:
 <Service name=3D"Catalina">
   <Connector port=3D"80" protocol=3D"HTTP/1.1"=20
               connectionTimeout=3D"20000"=20
               redirectPort=3D"443" />
   <Connector=20
	port=3D"443" minSpareThreads=3D"5" maxSpareThreads=3D"75"
	enableLookups=3D"true" disableUploadTimeout=3D"true"=20
	acceptCount=3D"100"  maxThreads=3D"200"
	scheme=3D"https" secure=3D"true" SSLEnabled=3D"true"
	keystoreFile=3D"/path/keystore" keystorePass=3D"********"
	clientAuth=3D"false" sslProtocol=3D"TLS"/>

   <Engine name=3D"Catalina" defaultHost=3D"mydomain.com">

 	<Host name=3D"mydomain.com" appBase=3D"httpapps"
       	unpackWARs=3D"true" autoDeploy=3D"true"
       	xmlValidation=3D"false" xmlNamespaceAware=3D"false" >
	</Host>

	 <Host name=3D"admin.mydomain.com" appBase=3D"adminapps"
       	unpackWARs=3D"true" autoDeploy=3D"true"
       	xmlValidation=3D"false" xmlNamespaceAware=3D"false">
	</Host>
   </Engine>
 </Service>

...and I added this in admin application web.xml for ssl forwarding:
	<security-constraint>
	  <web-resource-collection>
	    <web-resource-name>SLL Forwarding</web-resource-name>
	    <url-pattern>/*</url-pattern>
	  </web-resource-collection>
	  <user-data-constraint>
	    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
	  </user-data-constraint>
	</security-constraint>


The reason why I have two <Host> element is that I have configured my
applications to different appBase directories as ROOT. That way I got =
urls:
http://mydomain.com and
https://admin.mydomain.com=20
don't want to show my appName in url like
http://mydomain.com/myapp and
https://admin.mydomain.com/myadminapp

Is there better way? I know I could use UrlRewriteFilter module but =
right
now I wouldn't like to add any additional modules to my Tomcat.

--
Jaakko


-----Alkuper=E4inen viesti-----
L=E4hett=E4j=E4: Caldarale, Charles R =
[mailto:Chuck.Caldarale@unisys.com]=20
L=E4hetetty: 3. helmikuuta 2009 16:44
Vastaanottaja: Tomcat Users List
Aihe: RE: Tomcat configuration with multiple services

> From: Jaakko Taipale [mailto:jaakko.taipale@dbmanager.fi]
> Subject: VS: Tomcat configuration with multiple services
>
>    <Connector port=3D"80" protocol=3D"HTTP/1.1"
>                connectionTimeout=3D"20000"
>                redirectPort=3D"8443" />
>         <Connector
>         port=3D"443" minSpareThreads=3D"5" maxSpareThreads=3D"75"
>         enableLookups=3D"true" disableUploadTimeout=3D"true"
>         acceptCount=3D"100"  maxThreads=3D"200"
>         scheme=3D"https" secure=3D"true" SSLEnabled=3D"true"
>         keystoreFile=3D"/path/somekeystore" keystorePass=3D"*********"
>         clientAuth=3D"false" sslProtocol=3D"TLS"/>

Your redirectPort should target the configured HTTPS port, not thin air.

>    <Engine name=3D"Public" defaultHost=3D"mydomain.com">
>         <Host name=3D"mydomain.com" appBase=3D"httpapps"
>         unpackWARs=3D"true" autoDeploy=3D"true"
>         xmlValidation=3D"false" xmlNamespaceAware=3D"false">
>         </Host>
>          <Host name=3D"hastobehttps.mydomain.com" =
appBase=3D"httpsapps"
>         unpackWARs=3D"true" autoDeploy=3D"true"
>         xmlValidation=3D"false" xmlNamespaceAware=3D"false">
>         </Host>
>    </Engine>

What are you trying to achieve with the two <Host> elements?

> How can I force that users use https(or prevent http) when they access =

> to hastobehttps.mydomain.com?

Read the servlet spec; use a <transport-guarantee> of CONFIDENTIAL for =
all
your webapps.  If you want HTTPS to be used for everything, put the
<security-constraint> element in conf/web.xml so it will be picked up by =
all
webapps.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you =
received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org