tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gregor S." <rc4...@googlemail.com>
Subject Problems with forwaring HTTP to HTTPS
Date Wed, 30 Nov 2011 18:32:04 GMT
Hi list,

I'm a bit puzzled.

I want to forward all incoming HTTP-traffic to HTTPS.

Within my $catalina.home/conf/server.xml I've specified the following
connectors:

    <Connector port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

    <Connector port="443" maxHttpHeaderSize="8192"
               maxThreads="150"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               SSLEnabled="true"
               SSLCertificateFile="${catalina.base}/conf/test.dom.crt"
               SSLCertificateKeyFile="${catalina.base}/conf/test.dom.key" />

Then I specified in $catalina.home/conf/web.xml the following
transport-guarantee:

        <security-constraint>
                <web-resource-collection>
                        <web-resource-name>Protected Context</web-resource-name>
                                <url-pattern>/*</url-pattern>
                </web-resource-collection>
                <user-data-constraint>
                        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                </user-data-constraint>
        </security-constraint>

In my webapp, additionally I also specified some additional
security-constraints as follows:

    <security-constraint>
        <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
                <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
                <role-name>someuser</role-name>
        </auth-constraint>
    </security-constraint>

However, when I call the webapp using http://mywebapp.something, it is
not redirected to HTTPS but the HTTP-scheme is used.

However, when I remove the security-constraints from
$catalina.base/conf/web.xml and change the webapp's
deployment-descriptor to

    <security-constraint>
        <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
                <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
                <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
        <!-- describes the valid roles for this app -->
        <auth-constraint>
                <role-name>domuser</role-name>
        </auth-constraint>
    </security-constraint>

it's working.

My understanding was, that in the global web.xml
($catalina.home/conf/web.xml) the defaults are specified and promoted
to all webapps. But it seems as the webapp doesn't inherit the element
<user-data-constraints> from the global web.xml if it specifies it's
own <security-constraints> - my expectation was, that it inherits
those elements not specified inside the webapp's
deployment-descriptor.

Is is such, that if I specify <security-constraints> in my local
webapp, the global setting in $catalina.home/conf/web.xml are always
overwritten? If not - where does the inheritiance start and where does
it end?

My business-case is, that I do have a whole bunch of webapps which
have to be re-directed to HTTPS, each of them having their own
<security-constraints> since you'll have to login to access them, and
additionally multiple domains, so that changing each
deployment-descriptor is giving me a major headache.

I couldn't find anything in the documentation  - or let me re-phrase
it: I understood it that way that each element is inherited from the
global deployment-descriptor if not specified in the webapp's own
deployment-descriptor.

If somebody could shed some light here or point me to to right docs,
that would be great.

My configuration:

Using CATALINA_BASE:   /home/tomcat/local/apache-tomcat-6.0.33
Using CATALINA_HOME:   /home/tomcat/local/apache-tomcat-6.0.33
Using CATALINA_TMPDIR: /home/tomcat/local/apache-tomcat-6.0.33/temp
Using JRE_HOME:        /usr/lib/jvm/java-6-sun
Using CLASSPATH:       /home/tomcat/local/apache-tomcat-6.0.33/bin/bootstrap.jar
Server version: Apache Tomcat/6.0.33
Server built:   Aug 16 2011 02:16:34
Server number:  6.0.33.0
OS Name:        Linux
OS Version:     2.6.26-2-686
Architecture:   i386
JVM Version:    1.6.0_26-b03
JVM Vendor:     Sun Microsystems Inc.

I'm also using the APR, thus using OpenSSL as SSL-implementation.

TIA

Gregor
-- 
just because you're paranoid, don't mean they're not after you...
gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD
skype:rc46fi
gplus.to/gregor
twitter.com/#/2smart4u

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message