You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Filip Hanik - Dev Lists <de...@hanik.com> on 2006/09/01 00:33:03 UTC

Re: Problem moving from HTTP to HTTPS

<role-name>*</role-name>  <!-- even though I have no roles configured -->

the "*" means all the roles that you have defined in web.xml, since you 
haven't defined any roles in web.xml, there is nothing to authenticate, 
hence its gonna deny the request

Filip


Glen Mazza wrote:
> Hello,
>
> I have developed a simple web application running on Tomcat that asks 
> for a database username and password and then returns a report in PDF. 
> I'm *not* using any of Tomcat's security features for this--no roles 
> for example.
>
> In testing it has been running fine on HTTP, but I would like it to be 
> using HTTPS/SSL for production use, and ideally, be redirecting any 
> user HTTP requests to HTTPS.  So I created a new keystore and 
> activated the HTTPS/SSL connector in the server.xml file.  I also 
> added the following security constraint to the web.xml of my web 
> application in order to force a redirect from HTTP to HTTPS should the 
> user enter the former:
>
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>thewholeapp</web-resource-name>
>             <url-pattern>/*</url-pattern>
>             <http-method>GET</http-method>
>             <http-method>POST</http-method>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>*</role-name>  <!-- even though I have no roles 
> configured -->
>         </auth-constraint>
>         <user-data-constraint>
>             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>         </user-data-constraint>
>     </security-constraint>
>
> The redirection to the HTTPS page is working, but the HTTPS page 
> itself is failing--I keep getting 403 error messages:  "Access to the 
> requested resource has been denied".  Note I am *not* doing any form 
> of container authentication--that may be the problem, as I'm relying 
> on the DB connection string within my web application to authenticate 
> into the database.  I get the same message if I go to the https:// URL 
> directly and not via redirection.
>
> How can I get Tomcat to let every user access the HTTPS URL login page 
> (letting the database continue to handle the subsequent authentication 
> into the DB), preferably while still allowing for the automatic 
> redirection from HTTP to HTTPS as listed in the above 
> <security-constraint/>?
>
> Thanks,
> Glen
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Problem moving from HTTP to HTTPS

Posted by Glen Mazza <gr...@verizon.net>.

Thank you both.  Removing the <auth-constraint/> element quickly solved 
the problem for me.  So far, I have not run into any MSIE problems with 
this solution, hopefully my luck will continue.  (By default, users will 
be given https:// links anyway, the redirection is only for those who 
might accidentally enter via http://.)

Glen


Bill Barker wrote:

> Yeah, you need to delete the entire <auth-constraint>...</auth-constraint> 
> to allow everyone.  However, for MSIE, you may still get problems due to the 
> restricted caching headers that Tomat adds.
> 
> "Filip Hanik - Dev Lists" <de...@hanik.com> wrote in message 
> news:44F7639F.6060902@hanik.com...
> 
>><role-name>*</role-name>  <!-- even though I have no roles configured -->
>>
>>the "*" means all the roles that you have defined in web.xml, since you 
>>haven't defined any roles in web.xml, there is nothing to authenticate, 
>>hence its gonna deny the request
>>
>>Filip
>>
>>
>>Glen Mazza wrote:
>>
>>>Hello,
>>>
>>>I have developed a simple web application running on Tomcat that asks for 
>>>a database username and password and then returns a report in PDF. I'm 
>>>*not* using any of Tomcat's security features for this--no roles for 
>>>example.
>>>
>>>In testing it has been running fine on HTTP, but I would like it to be 
>>>using HTTPS/SSL for production use, and ideally, be redirecting any user 
>>>HTTP requests to HTTPS.  So I created a new keystore and activated the 
>>>HTTPS/SSL connector in the server.xml file.  I also added the following 
>>>security constraint to the web.xml of my web application in order to 
>>>force a redirect from HTTP to HTTPS should the user enter the former:
>>>
>>>    <security-constraint>
>>>        <web-resource-collection>
>>>            <web-resource-name>thewholeapp</web-resource-name>
>>>            <url-pattern>/*</url-pattern>
>>>            <http-method>GET</http-method>
>>>            <http-method>POST</http-method>
>>>        </web-resource-collection>
>>>        <auth-constraint>
>>>            <role-name>*</role-name>  <!-- even though I have no roles 
>>>configured -->
>>>        </auth-constraint>
>>>        <user-data-constraint>
>>>            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>>        </user-data-constraint>
>>>    </security-constraint>
>>>
>>>The redirection to the HTTPS page is working, but the HTTPS page itself 
>>>is failing--I keep getting 403 error messages:  "Access to the requested 
>>>resource has been denied".  Note I am *not* doing any form of container 
>>>authentication--that may be the problem, as I'm relying on the DB 
>>>connection string within my web application to authenticate into the 
>>>database.  I get the same message if I go to the https:// URL directly 
>>>and not via redirection.
>>>
>>>How can I get Tomcat to let every user access the HTTPS URL login page 
>>>(letting the database continue to handle the subsequent authentication 
>>>into the DB), preferably while still allowing for the automatic 
>>>redirection from HTTP to HTTPS as listed in the above 
>>><security-constraint/>?
>>>
>>>Thanks,
>>>Glen
>>>
>>>---------------------------------------------------------------------
>>>To start a new topic, e-mail: users@tomcat.apache.org
>>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org
>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Problem moving from HTTP to HTTPS

Posted by Bill Barker <wb...@wilshire.com>.

Yeah, you need to delete the entire <auth-constraint>...</auth-constraint> 
to allow everyone.  However, for MSIE, you may still get problems due to the 
restricted caching headers that Tomat adds.

"Filip Hanik - Dev Lists" <de...@hanik.com> wrote in message 
news:44F7639F.6060902@hanik.com...
> <role-name>*</role-name>  <!-- even though I have no roles configured -->
>
> the "*" means all the roles that you have defined in web.xml, since you 
> haven't defined any roles in web.xml, there is nothing to authenticate, 
> hence its gonna deny the request
>
> Filip
>
>
> Glen Mazza wrote:
>> Hello,
>>
>> I have developed a simple web application running on Tomcat that asks for 
>> a database username and password and then returns a report in PDF. I'm 
>> *not* using any of Tomcat's security features for this--no roles for 
>> example.
>>
>> In testing it has been running fine on HTTP, but I would like it to be 
>> using HTTPS/SSL for production use, and ideally, be redirecting any user 
>> HTTP requests to HTTPS.  So I created a new keystore and activated the 
>> HTTPS/SSL connector in the server.xml file.  I also added the following 
>> security constraint to the web.xml of my web application in order to 
>> force a redirect from HTTP to HTTPS should the user enter the former:
>>
>>     <security-constraint>
>>         <web-resource-collection>
>>             <web-resource-name>thewholeapp</web-resource-name>
>>             <url-pattern>/*</url-pattern>
>>             <http-method>GET</http-method>
>>             <http-method>POST</http-method>
>>         </web-resource-collection>
>>         <auth-constraint>
>>             <role-name>*</role-name>  <!-- even though I have no roles 
>> configured -->
>>         </auth-constraint>
>>         <user-data-constraint>
>>             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>         </user-data-constraint>
>>     </security-constraint>
>>
>> The redirection to the HTTPS page is working, but the HTTPS page itself 
>> is failing--I keep getting 403 error messages:  "Access to the requested 
>> resource has been denied".  Note I am *not* doing any form of container 
>> authentication--that may be the problem, as I'm relying on the DB 
>> connection string within my web application to authenticate into the 
>> database.  I get the same message if I go to the https:// URL directly 
>> and not via redirection.
>>
>> How can I get Tomcat to let every user access the HTTPS URL login page 
>> (letting the database continue to handle the subsequent authentication 
>> into the DB), preferably while still allowing for the automatic 
>> redirection from HTTP to HTTPS as listed in the above 
>> <security-constraint/>?
>>
>> Thanks,
>> Glen
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> 




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org