You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Hisham <mo...@gmail.com> on 2009/03/06 12:21:21 UTC
Https forwarding problem
Hi,
I am using Tomcat 5.5 and I want to forward incoming requests at port 80 to
port 443 (i.e. SSL secure connection). This I have achieved quite easily
via the following configuration:
web.xml:
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you requre authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
server.xml:
<Connector port="80" redirectPort="443" />
<Connector port="443" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/keystore.jks"
keystorePass="xyz" maxPostSize="15728640" />
I have created the certificates, etc. and it works fine and if i type
http://localhost I am redirected to https://localhost and the login page is
shown. But, during login, I am making a web service call. These web
services are deployed on the same Tomcat and are accessed via
http://localhost/axis2/rest...
When i try to login I am getting an exception:
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
at
java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)
at java.net.Socket.connect(Socket.java:520)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:545)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.<init>(SSLSocketImpl.java:389)
at
com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImpl.java:121)
at
org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:81)
at
org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:126)
So i figured that the web service call is also being accessed via SSL and
that is not supportted by the caller. Anyway to get around this I have
tried a NUMBER of things:
1. I added a second security-constraint in web.xml with url pattern as
/axis2/* which has transport-guarantee as NONE.
2. I added a 2nd <service> to my server.xml that has the web services
deployed on a different port.
3. And a whole lot of other things that were useless :(
Is it even possible to do this, going from https -> http (they are 2
separate applications mind you)? Does anyone have any suggestions on how to
fix this? This is driving me nuts! Thanks!
Re: Https forwarding problem
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hisham,
On 3/11/2009 5:52 AM, Hisham wrote:
> My concern is that because i have this <security-constraint> which makes any
> url pattern "CONFIDENTIAL", that it's causing the web service call to be
> redirected as well. And its very frustrating why the following config is
> NOT working (where i specify that urls starting with axis2 should be
> ignored), and ws calls STILL get redirected:
>
> <security-constraint>
> <web-resource-collection>
> <url-pattern>/axis2/*</url-pattern>
> <url-pattern>/axis2/rest/*</url-pattern>
> </web-resource-collection>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
That's odd. How do you know it's being redirected? Are you using a
packet capture utility? I would definitely use one of you aren't already.
Are you sure the web.xml that is deployed is the one you are editing?
Sounds like a stupid question, but sometimes one forgets to actually do
a redeploy after a change is made.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkm4IWgACgkQ9CaO5/Lv0PCf1QCgpvXosC2TxoTMRN8ZD6kfY5FT
j6wAoKpuv1oY5jmAw7y9Q6B+/kNdmTiQ
=7c4V
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Https forwarding problem
Posted by Hisham <mo...@gmail.com>.
Thanks for your reply Chris.
At first i did try to limit using "address" attribute, but later i removed
it. The config snippets i have shown are complete. You are right, the
exception is coming from the web service call.
My concern is that because i have this <security-constraint> which makes any
url pattern "CONFIDENTIAL", that it's causing the web service call to be
redirected as well. And its very frustrating why the following config is
NOT working (where i specify that urls starting with axis2 should be
ignored), and ws calls STILL get redirected:
<security-constraint>
<web-resource-collection>
<url-pattern>/axis2/*</url-pattern>
<url-pattern>/axis2/rest/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
Any ideas? Thanks.
-h
On Tue, Mar 10, 2009 at 9:07 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hisham,
>
> On 3/6/2009 6:21 AM, Hisham wrote:
> > <url-pattern>/*</url-pattern>
> > <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>
> Good.
>
> > <Connector port="80" redirectPort="443" />
> > <Connector port="443" scheme="https" secure="true"
> > clientAuth="false" sslProtocol="TLS"
> > keystoreFile="conf/keystore.jks"
> > keystorePass="xyz" maxPostSize="15728640" />
>
> Good.
>
> > I have created the certificates, etc. and it works fine and if i type
> > http://localhost I am redirected to https://localhost and the login page
> is
> > shown.
>
> Good.
>
> > But, during login, I am making a web service call. These web
> > services are deployed on the same Tomcat and are accessed via
> > http://localhost/axis2/rest...
> >
> > When i try to login I am getting an exception:
> >
> > java.net.ConnectException: Connection refused
> > at java.net.PlainSocketImpl.socketConnect(Native Method)
> > at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
>
> Presumably this happens to the web service call, not to your
> application, right? Your stack trace didn't include enough to show where
> your code comes in.
>
> "Connection Refused" indicates that you can't reach the correct service.
> Since you're connecting to localhost you're unlikely to be having
> firewall issues (though such access /could/ be blocked). My guess is
> that you've bound your <Connector> to a specific IP address using the
> "address" attribute. Did you post your entire server.xml file, or just
> the "relevant" parts? You might want to re-post with all the details.
>
> > So i figured that the web service call is also being accessed via SSL and
> > that is not supported by the caller. Anyway to get around this I have
> > tried a NUMBER of things:
> >
> > 1. I added a second security-constraint in web.xml with url pattern as
> > /axis2/* which has transport-guarantee as NONE.
> > 2. I added a 2nd <service> to my server.xml that has the web services
> > deployed on a different port.
> > 3. And a whole lot of other things that were useless :(
> >
> > Is it even possible to do this, going from https -> http (they are 2
> > separate applications mind you)? Does anyone have any suggestions on how
> to
> > fix this? This is driving me nuts! Thanks!
>
> If you get the same error (connection refused) no matter what you try,
> then my conclusion is that you'd bound your <Connector> to specific
> address. That means that you can't make a connection to localhost:80
> because nobody is listening.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkm2iTEACgkQ9CaO5/Lv0PCEewCfSTEb3+L3jl1tpa/2o5VGIvhl
> kzUAn1NK66mvK1uhyqXpUv4qsPj/Kv1z
> =FTFh
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Https forwarding problem
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hisham,
On 3/6/2009 6:21 AM, Hisham wrote:
> <url-pattern>/*</url-pattern>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
Good.
> <Connector port="80" redirectPort="443" />
> <Connector port="443" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> keystoreFile="conf/keystore.jks"
> keystorePass="xyz" maxPostSize="15728640" />
Good.
> I have created the certificates, etc. and it works fine and if i type
> http://localhost I am redirected to https://localhost and the login page is
> shown.
Good.
> But, during login, I am making a web service call. These web
> services are deployed on the same Tomcat and are accessed via
> http://localhost/axis2/rest...
>
> When i try to login I am getting an exception:
>
> java.net.ConnectException: Connection refused
> at java.net.PlainSocketImpl.socketConnect(Native Method)
> at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
Presumably this happens to the web service call, not to your
application, right? Your stack trace didn't include enough to show where
your code comes in.
"Connection Refused" indicates that you can't reach the correct service.
Since you're connecting to localhost you're unlikely to be having
firewall issues (though such access /could/ be blocked). My guess is
that you've bound your <Connector> to a specific IP address using the
"address" attribute. Did you post your entire server.xml file, or just
the "relevant" parts? You might want to re-post with all the details.
> So i figured that the web service call is also being accessed via SSL and
> that is not supported by the caller. Anyway to get around this I have
> tried a NUMBER of things:
>
> 1. I added a second security-constraint in web.xml with url pattern as
> /axis2/* which has transport-guarantee as NONE.
> 2. I added a 2nd <service> to my server.xml that has the web services
> deployed on a different port.
> 3. And a whole lot of other things that were useless :(
>
> Is it even possible to do this, going from https -> http (they are 2
> separate applications mind you)? Does anyone have any suggestions on how to
> fix this? This is driving me nuts! Thanks!
If you get the same error (connection refused) no matter what you try,
then my conclusion is that you'd bound your <Connector> to specific
address. That means that you can't make a connection to localhost:80
because nobody is listening.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkm2iTEACgkQ9CaO5/Lv0PCEewCfSTEb3+L3jl1tpa/2o5VGIvhl
kzUAn1NK66mvK1uhyqXpUv4qsPj/Kv1z
=FTFh
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org