tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat 7 ssl by default
Date Wed, 17 Dec 2014 22:37:08 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Duncan,

On 12/17/14 12:32 PM, Lyallex wrote:
> Yea I thought of this, the problem is I currently have a user area 
> that requires a login and all this is currently configured in
> web.xml and I'm not sure how all this will fit together. I'll try a
> few things out and see what happens.

You can have multiple, overlapping security-constraints. One of them
(which covers the whole site) will require HTTPS, the other (existing
one) will require authentication and authorization, but only for
certain (again, existing) URL patterns.

Should be no problem.

- -chris

> On 17 December 2014 at 17:20, Mark Thomas <markt@apache.org>
> wrote:
>> On 17/12/2014 17:10, Lyallex wrote:
>>> Tomcat 7.0.42 jdk1.7.0_51 Ubuntu 12.04/CentOS dev/deploy
>>> 
>>> I have been reading more and more about Google and the like 
>>> prioritising sites that employ https/ssl by default. Currently
>>> my site does not use https but delegates payment to a secure
>>> payment provider who does, thusly I have avoided going through
>>> the pain of certification etc, now it appears I have little
>>> option but to implement https site wide. I have managed to get
>>> a keystore going and have configured tomcat to serve a self
>>> signed certificate when accessing the site by https (default
>>> port 443)
>>> 
>>> so http://localhost accesses the home page and
>>> https://localhost pops up a warning in Firefox regarding an 
>>> unknown certification authority. This is all good and I'm
>>> pretty sure I understand so far.
>>> 
>>> I have noticed that if I type http://www.google.co.uk in to a
>>> browser the address is automatically changed (redirected) to 
>>> https://www.google.co.uk and I would like the same to happen to
>>> my site.
>>> 
>>> Here is the question. Is this 'redirection' something I need to
>>> configure myself , (can it be done in server.xml for example)
>>> or is this something the people I rent my server from need to
>>> do at their end.
>> 
>> It depends on exactly how things are set up.
>> 
>> The first thing I would try is adding something like the
>> following to your web.xml:
>> 
>> <security-constraint> <web-resource-collection> 
>> <web-resource-name>Everything</web-resource-name> 
>> <url-pattern>/*</url-pattern> </web-resource-collection> 
>> <user-data-constraint> 
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
>> </user-data-constraint> </security-constraint>
>> 
>> If I have remembered my syntax correctly, that should route
>> every request to https if it isn't already.
>> 
>> Mark
>> 
>> 
>> ---------------------------------------------------------------------
>>
>> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUkgWTAAoJEBzwKT+lPKRYVgYP/0MIsch7SiF2bcMqJtDG7Ovn
OFSRej7i+6Mjd0efs6h7QKUqAep8C0QKufOFH7Isn2aZa2TYLQXWIKVJtDqbAqz+
92K/gpWtZ2FGkB/Qg0GNPWNg/em5u/XWJeFjqMPfufZIk/yIZkMByFzDjXiuS/0n
rIdadWqzjvkMJcKAfRzO5CuVPcennzovSLB2/ReGA4lYLzc7b81Stxe+6pE0JBg/
XVzu0BFLuBfKHL0KYL/7TFaYQOpbkSc0ROS3UtzNVNyquXMwYjqCDImpcElvnYYZ
XX1eMNFnOf6M+sPItHllJiWHzaQYd3vA9axHeE5/F5XiXruYr8V714jRdQH+XCwX
FxcalpMw3wbw8OVwFkRZKzlbBhDeWJiurT2vIols5rHjqtrOwDDMrwt7Nzx57VUD
5HTBb+Ghk8lMFfd/VSh6+NjFfqwp5yAvlUhU4PqNrEkjmx150/JBYa9cfVNFwnk7
Wbfb3sWsTzrYPIgw5yOzoI9X3R5gALFBpRqjnhdrJw0wht8s4GNJbpwq4zwQiGto
PSyW3mUnMrxarTK4Wq+enRSaQQWgc7BMELdrsH0ixwG8EAA5gCRhfBSV6SVcGAaY
tyuNgJv6Pt+C3xQW/BaXOe24mmxuVmjJU0G6A2oFnPiC3J/gbiwPECjFIAR7yEWp
5ZRKipmvLh3vAoJcvvgR
=hjT0
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message