tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Naga Ramesh" <naga.ram...@manthan.com>
Subject RE: getting some cookie & security related issues.
Date Thu, 30 Nov 2017 08:25:37 GMT
Thanks Olaf..

There's one piece of information that looks suspicious to me: HTTPS from AWS
to Tomcat, port 8080. While it's possible that you're doing this,
8080 is typically used to handle http requests, while 8443 would be a
default choice in the 8000+ range of ports for handling https. Please
confirm or deny that you have reconfigured a secure connector to listen to
port 8080, otherwise it's not clear that you're indeed configuring the
communication from AWS to Tomcat as an encrypted one.


User-https request	--->	AWS-ELB-443 & here we have applied the SSL
&443 redirect to 8080 of tomcat(non SSL)



To preempt the next mail and give more information upfront: If you indeed
have tomcat listen on 8080 for http, it won't have a clue that this
connection is secure, because it doesn't know anything about the original
connection. You can fake the knowledge about the connection to be secure
with the connector attribute secure="true", but you'll have to make sure
that nobody can reach your tomcat through any other way than through your
load balancer when you do. Another option is to use AJP for the
communication between AWS and Tomcat (I don't know if this is supported on
the AWS-ELB side). While this protocol is unencrypted, it does forward the
http/https information from the original connection

I have tried this way (secure="true") also, but application is working fine
but we are unable to login the application & getting the oops session
expired error message, so I have reverted this parameter.



Regards,
Naga Ramesh R
1974
-----Original Message-----
From: Olaf Kock [mailto:tomcat@olafkock.de] 
Sent: Thursday, November 30, 2017 1:33 PM
To: users@tomcat.apache.org
Subject: Re: getting some cookie & security related issues.


On 30.11.2017 08:52, Naga Ramesh wrote:
> User --------> AWS --------> Tomcat
>        (HTTPS)        (HTTPS)
>
> User-HTTPS request----> AWS-ELB(https-443)  re-direct to tomcat 
> connector
> port-8080
>
> What is the (expected) path when the user makes an HTTPS request? Is it:
>
> User --------> AWS --------> Tomcat
>        (HTTPS)        (HTTPS)
There's one piece of information that looks suspicious to me: HTTPS from AWS
to Tomcat, port 8080. While it's possible that you're doing this,
8080 is typically used to handle http requests, while 8443 would be a
default choice in the 8000+ range of ports for handling https. Please
confirm or deny that you have reconfigured a secure connector to listen to
port 8080, otherwise it's not clear that you're indeed configuring the
communication from AWS to Tomcat as an encrypted one.

To preempt the next mail and give more information upfront: If you indeed
have tomcat listen on 8080 for http, it won't have a clue that this
connection is secure, because it doesn't know anything about the original
connection. You can fake the knowledge about the connection to be secure
with the connector attribute secure="true", but you'll have to make sure
that nobody can reach your tomcat through any other way than through your
load balancer when you do. Another option is to use AJP for the
communication between AWS and Tomcat (I don't know if this is supported on
the AWS-ELB side). While this protocol is unencrypted, it does forward the
http/https information from the original connection 
User->AWS

Please clarify your situation. Thanks,
Olaf

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message