You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "John G. Norman" <jo...@gmail.com> on 2005/06/08 05:36:57 UTC
Set Connector to "secure" but DON'T use TLS/keystore/etc.?
For Tomcat 5.0.28:
I have an SSL accelerator in front of a set of hardware load-balanced Tomcats.
SSL is handled by the accelerator.
HTTP requests come in on port 80 and are redirected via the load
balancer (it's actually an Inkra) to a Tomcat HTTP Connector listening
on port 8080.
I would like to mark some resources in the app with the security
constraint "CONFIDENTIAL" and have the request redirected to port 443.
So . . . A redirected request would now come in on 443, where the SSL
accelerator handles TLS. Then the request goes into the LB, and goes
to a Tomcat Connector on port 8443.
Therefore, in server.xml, I would like to set the secure attribute for
the Connector on port 8443 to "true" so that the request is no longer
redirected.
But if I set the secure attribute to "true," it seems that I must
specify a keystore, and handle SSL on Tomcat. (If you set secure to
"true" but w/o a keystore, you get exceptions and the Connector
doesn't start.)
If I set the secure attribute to "false," then the redirect happens
again (effectively an infinite loop).
So . . . any suggestions?
My ideas are:
(0) See if the load balancer can do the redirect. I.e., have certain
traffic (not all, I'm afraid) return a 304 and redirect to the 443
port? There *are* certain paths (for example, for privacy policy XML
files) that must not use https/443. Then the Tomcat's 8443 could be
insecure. This is a bad solution because now the authority for the
redirect isn't in the app; harder to change.
(1) Stop using the hardware acceleration, and put the SSL cert on each
of the Tomcats. This is probably big drag for performance reasons.
(2) Write a custom J2EE filter to do the 304/redirect.
(3) Any more flexibility on this in Tomcat 5.5?
John
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Set Connector to "secure" but DON'T use TLS/keystore/etc.?
Posted by "John G. Norman" <jo...@gmail.com>.
My suggested solution (2) below works ok as a temporary stopgap. So,
if you ever find yourself in this scenario -- Tomcat behind a hardware
ssl accelerator but you need to redirect for confidential matrials), a
stopgap solution is the code below.
My question is still open as to whether or not a Connector can be set
to be "secure" but without its wanting to do TLS, etc. I wonder if
there is a way through this problem with proxy settings. Also, in the
solution below, I think there are some issues with cached resources.
Anyhoo . . .
Scenario:
1. You have Tomcat behind a hardware SSL accelerator, which handles
TLS for you. And you want that performance boost.
2. You need to mark certain resources CONFIDENTIAL in your web.xml
with <transport-guarantee>CONFIDENTIAL</transport-guarantee>
3. However, CONFIDENTIAL means that when you get traffic to your
Tomcat on the non-secured Connector, there is a redirect to, say, 443
(i.e., back to the SSL accelerator).
4. When the SSL accelerator then sends the traffic to your Tomcat's
8443, there's a double-bind:
a. If you set the 8443 Connector to secure="true" then Tomcat wants to
handle the SSL. But this is bad because it was already handled by the
hardware accelerator.
b. But if you set the 8443 Connect to secure="false" then Tomcat wants
to send the redirect (again). Infinite loop.
Stopgap solution:
1. Remove the user-data-constraint
<transport-guarantee>CONFIDENTIAL</transport-guarantee> from your
web.xml
2. Change your 8443 Connector to "secure=false"
3. Handle the redirect yourself with a filter such as this one (this
is just the dofilter method):
(Note that the filter will have to look at the incoming paths, and
reproduce whatever your settings were in that required the
CONFIDENTIAL guarantee.)
(Also note that this is obviously a hack, with some hardcoding of a
port, assumption that the other port is regular http, etc., etc.)
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
// If incoming is not on the port that is for secure traffic, redirect
if (request.getLocalPort() != 8443) {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
String url = NetUtils.getReconstructedURL(req);
// Change the scheme
String redirect = "https" + url.substring(4);
res.setStatus(HttpServletResponse.SC_FOUND);
res.setHeader("Location", redirect);
if (logger.isLoggable(Level.INFO)) {
logger.info("Redirecting: " + url + " to " + redirect);
}
return;
} else {
chain.doFilter(request, response);
}
}
John
On 6/7/05, John G. Norman <jo...@gmail.com> wrote:
> For Tomcat 5.0.28:
>
> I have an SSL accelerator in front of a set of hardware load-balanced Tomcats.
>
> SSL is handled by the accelerator.
>
> HTTP requests come in on port 80 and are redirected via the load
> balancer (it's actually an Inkra) to a Tomcat HTTP Connector listening
> on port 8080.
>
> I would like to mark some resources in the app with the security
> constraint "CONFIDENTIAL" and have the request redirected to port 443.
>
> So . . . A redirected request would now come in on 443, where the SSL
> accelerator handles TLS. Then the request goes into the LB, and goes
> to a Tomcat Connector on port 8443.
>
> Therefore, in server.xml, I would like to set the secure attribute for
> the Connector on port 8443 to "true" so that the request is no longer
> redirected.
>
> But if I set the secure attribute to "true," it seems that I must
> specify a keystore, and handle SSL on Tomcat. (If you set secure to
> "true" but w/o a keystore, you get exceptions and the Connector
> doesn't start.)
>
> If I set the secure attribute to "false," then the redirect happens
> again (effectively an infinite loop).
>
> So . . . any suggestions?
>
> My ideas are:
>
> (0) See if the load balancer can do the redirect. I.e., have certain
> traffic (not all, I'm afraid) return a 304 and redirect to the 443
> port? There *are* certain paths (for example, for privacy policy XML
> files) that must not use https/443. Then the Tomcat's 8443 could be
> insecure. This is a bad solution because now the authority for the
> redirect isn't in the app; harder to change.
>
> (1) Stop using the hardware acceleration, and put the SSL cert on each
> of the Tomcats. This is probably big drag for performance reasons.
>
> (2) Write a custom J2EE filter to do the 304/redirect.
>
> (3) Any more flexibility on this in Tomcat 5.5?
>
> John
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org