tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeffrey Janner <Jeffrey.Jan...@PolyDyne.com>
Subject RE: Problems with forwaring HTTP to HTTPS
Date Thu, 01 Dec 2011 14:45:37 GMT
I might be a little off (and I'm sure Pid or Chuck will correct me), but security-constraints
are applied based on matching url-patterns, and you're using the same pattern in both places.
Therefore, the webapp's definition will take precedence over the global.
Looks like it is best to bite the bullet and update each one individually.

> -----Original Message-----
> From: Gregor S. [mailto:rc46fi@googlemail.com]
> Sent: Wednesday, November 30, 2011 12:32 PM
> To: Tomcat Users List
> Subject: Problems with forwaring HTTP to HTTPS
> 
> Hi list,
> 
> I'm a bit puzzled.
> 
> I want to forward all incoming HTTP-traffic to HTTPS.
> 
> Within my $catalina.home/conf/server.xml I've specified the following
> connectors:
> 
>     <Connector port="80" protocol="HTTP/1.1"
>                connectionTimeout="20000"
>                redirectPort="443" />
> 
>     <Connector port="443" maxHttpHeaderSize="8192"
>                maxThreads="150"
>                enableLookups="false" disableUploadTimeout="true"
>                acceptCount="100" scheme="https" secure="true"
>                SSLEnabled="true"
>                SSLCertificateFile="${catalina.base}/conf/test.dom.crt"
> 
> SSLCertificateKeyFile="${catalina.base}/conf/test.dom.key" />
> 
> Then I specified in $catalina.home/conf/web.xml the following
> transport-guarantee:
> 
>         <security-constraint>
>                 <web-resource-collection>
>                         <web-resource-name>Protected Context</web-
> resource-name>
>                                 <url-pattern>/*</url-pattern>
>                 </web-resource-collection>
>                 <user-data-constraint>
>                         <transport-guarantee>CONFIDENTIAL</transport-
> guarantee>
>                 </user-data-constraint>
>         </security-constraint>
> 
> In my webapp, additionally I also specified some additional
> security-constraints as follows:
> 
>     <security-constraint>
>         <web-resource-collection>
>         <web-resource-name>Protected Area</web-resource-name>
>                 <url-pattern>/*</url-pattern>
>         </web-resource-collection>
>         <auth-constraint>
>                 <role-name>someuser</role-name>
>         </auth-constraint>
>     </security-constraint>
> 
> However, when I call the webapp using http://mywebapp.something, it is
> not redirected to HTTPS but the HTTP-scheme is used.
> 
> However, when I remove the security-constraints from
> $catalina.base/conf/web.xml and change the webapp's
> deployment-descriptor to
> 
>     <security-constraint>
>         <web-resource-collection>
>         <web-resource-name>Protected Area</web-resource-name>
>                 <url-pattern>/*</url-pattern>
>         </web-resource-collection>
>         <user-data-constraint>
>                 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>         </user-data-constraint>
>         <!-- describes the valid roles for this app -->
>         <auth-constraint>
>                 <role-name>domuser</role-name>
>         </auth-constraint>
>     </security-constraint>
> 
> it's working.
> 
> My understanding was, that in the global web.xml
> ($catalina.home/conf/web.xml) the defaults are specified and promoted
> to all webapps. But it seems as the webapp doesn't inherit the element
> <user-data-constraints> from the global web.xml if it specifies it's
> own <security-constraints> - my expectation was, that it inherits
> those elements not specified inside the webapp's
> deployment-descriptor.
> 
> Is is such, that if I specify <security-constraints> in my local
> webapp, the global setting in $catalina.home/conf/web.xml are always
> overwritten? If not - where does the inheritiance start and where does
> it end?
> 
> My business-case is, that I do have a whole bunch of webapps which
> have to be re-directed to HTTPS, each of them having their own
> <security-constraints> since you'll have to login to access them, and
> additionally multiple domains, so that changing each
> deployment-descriptor is giving me a major headache.
> 
> I couldn't find anything in the documentation  - or let me re-phrase
> it: I understood it that way that each element is inherited from the
> global deployment-descriptor if not specified in the webapp's own
> deployment-descriptor.
> 
> If somebody could shed some light here or point me to to right docs,
> that would be great.
> 
> My configuration:
> 
> Using CATALINA_BASE:   /home/tomcat/local/apache-tomcat-6.0.33
> Using CATALINA_HOME:   /home/tomcat/local/apache-tomcat-6.0.33
> Using CATALINA_TMPDIR: /home/tomcat/local/apache-tomcat-6.0.33/temp
> Using JRE_HOME:        /usr/lib/jvm/java-6-sun
> Using CLASSPATH:       /home/tomcat/local/apache-tomcat-
> 6.0.33/bin/bootstrap.jar
> Server version: Apache Tomcat/6.0.33
> Server built:   Aug 16 2011 02:16:34
> Server number:  6.0.33.0
> OS Name:        Linux
> OS Version:     2.6.26-2-686
> Architecture:   i386
> JVM Version:    1.6.0_26-b03
> JVM Vendor:     Sun Microsystems Inc.
> 
> I'm also using the APR, thus using OpenSSL as SSL-implementation.
> 
> TIA
> 
> Gregor
> --
> just because you're paranoid, don't mean they're not after you...
> gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD
> skype:rc46fi
> gplus.to/gregor
> twitter.com/#/2smart4u
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

__________________________________________________________________________

Confidentiality Notice:  This Transmission (including any attachments) may contain information
that is privileged, confidential, and exempt from disclosure under applicable law.  If the
reader of this message is not the intended recipient you are hereby notified that any dissemination,
distribution, or copying of this communication is strictly prohibited.  

If you have received this transmission in error, please immediately reply to the sender or
telephone (512) 343-9100 and delete this transmission from your system.
Mime
View raw message