tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Janet Preston <JPres...@stjohns.ca>
Subject Help with mixed SSL and non-SSL pages in Tomcat 7.0
Date Fri, 14 Oct 2011 20:09:50 GMT
Hi,

I have a web site with a login page that has to be accessed using SSL so 
that the password is not sent as clear text. The rest of the site is 
non-SSL. My configuration worked with this combination: Tomcat 5.5.27; 
Apache 2.0.58; JAVA 1.5.0_13 and, mod_jk (I'm not sure what version of 
mod_jk but it's old). After upgrading to  Tomcat 7.0.22; Apache 2.2.21; 
JAVA 1.6.0_23; and tomcat jk connector version 1.2.32  I find my 
application doesn't work the same. The problem is I never get past the 
login page because whenever a redirect from port 8443 to port 8080 occurs 
I get bumped back to the log in page. I can use the application if I stay 
totally within SSL and I can use the application totally without SSL so I 
think this is a configuration issue, I just don't know what needs to 
change. I read the tomcat 7 SSL Configuration How-to and it says it's 
"customary to only run certain pages under SSL" but I'm missing something 
or have used a hole in the past that has now been plugged.

My web.xml is configured as follows:
       <welcome-file-list>
               <welcome-file>index.html</welcome-file>
       </welcome-file-list>
       <security-constraint>
               <display-name>App Security</display-name>
               <web-resource-collection>
                       <web-resource-name>App Security</web-resource-name>
                       <description></description>
                       <url-pattern>*.jsp</url-pattern>
                       <url-pattern>*.do</url-pattern>
                       <url-pattern>*.html</url-pattern>
                       <http-method>GET</http-method>
                       <http-method>PUT</http-method>
                       <http-method>POST</http-method>
                       <http-method>DELETE</http-method>
               </web-resource-collection>
               <auth-constraint>
                       <description></description>
                       <role-name>person</role-name>
               </auth-constraint>
       </security-constraint>
       <login-config>
               <auth-method>FORM</auth-method>
               <form-login-config>
                       <form-login-page>/login.jsp</form-login-page>
                       <form-error-page>/loginerr.jsp</form-error-page>
               </form-login-config>
       </login-config>
       <security-role>
          <description>All users who can login should be able to use this 
application</description>
                  <role-name>person</role-name>
       </security-role>

I created a certificate using the Java keystore and updated tomcat 
server.xml 
    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="/security/.keystore" 
keystorePass="appcertkey"   keyAlias="keyalias"/>

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

Index.html redirects the user from https to http.

Any suggestions would be appreciated.

Regards,
Janet

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message