tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: transport CONFIDENTIAL based on remote ip/host filter?
Date Mon, 04 Jun 2012 22:18:12 GMT
2012/6/5 Timothy J Schumacher <Tim.Schumacher@colorado.edu>:
>
> We make a piece of IT equipment with tomcat running inside serving an
> application that acts as the administration console for the device.  There
> is also a firefox browser running inside the equipment that exposes the web
> application in question on the front panel touchscreen of the device.  The
> device also can be plugged into a network to facilitate remote management
> via the web application.  (...)

Why do you need transport CONFIDENTIAL in your web.xml?  Do you have
some pages that are accessed via HTTP and some that are only HTTPS on
the same Tomcat?  That is when you need HTTP -> HTTPS redirection when
user comes to the protected part.


If your tomcat serves only administrative console webapp, I think it
could be a more simple configuration:

1) remove transport-guarantee CONFIDENTIAL
2) configure HTTPS connector that is accessible from outside
(either do not specify address - to bind on all of them, or specify
device's public IP)
3) configure HTTP connector with address="127.0.0.1"  (no need for
secure="true")

This way the HTTP connector binds on the loopback address only and is
not accessible from outside, regardless of your web.xml.


If things are more complicated, you could implement a Filter that does
the same job as transport-guarantee.  The Connector that the client
connects to could be distinguished by ServletRequest.getLocalAddr(),
getLocalPort(), getScheme().

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message