You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by John Smith <to...@gmail.com> on 2014/05/27 18:31:51 UTC
SSL on one subdirectory only.
Tomcat 7.0.42, RHEL6, JDK1.7.0_25, Standalone TC configuration. IPTABLES
route port 80 to 8080
I've got a subdirectory like 'www.mysite.com/admin' that I want to put
under FORM based authentication. That's clear enough, and I've got the java
keytool cert working well enough on my dev box until I get one from a CA.
Couple of questions:
1. Anyone familiar with any problems routing 443 to 8443 on *nix boxes for
TC SSL certs? It's preferable to not have my end users needing port
numbers. The cert doesn't care about the port, IIRC.
2. With the SSL connector enabled, https://* is globally respected on the
entire webapp. Do I need to manually check the URL/protocol to deny or
redirect https to http outside of '/admin'? Is there any built in TC
mechanism or suggested best practice to handle this? or should I not care?
Best,
John
Re: SSL on one subdirectory only.
Posted by John Smith <to...@gmail.com>.
>
>
>
>> 2. With the SSL connector enabled, https://* is globally respected on the
>> entire webapp. Do I need to manually check the URL/protocol to deny or
>> redirect https to http outside of '/admin'? Is there any built in TC
>> mechanism or suggested best practice to handle this? or should I not care?
>>
>
> We use two-factor authentification with SSL - but I think in your case
> this can be helpful too - not a big difference.
> Try look at this:
>
> http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite
>
>>
>>
Arseny, thank you. I wasn't aware of the user-data-constraint
and transport-guarantee elements. I'll give them a try.
Re: SSL on one subdirectory only.
Posted by Arseny <se...@gmail.com>.
27.05.2014 19:31, John Smith пишет:
>
> 1. Anyone familiar with any problems routing 443 to 8443 on *nix boxes for
> TC SSL certs? It's preferable to not have my end users needing port
> numbers. The cert doesn't care about the port, IIRC.
Try check trafic with ssldump
http://www.rtfm.com/ssldump/
>
> 2. With the SSL connector enabled, https://* is globally respected on the
> entire webapp. Do I need to manually check the URL/protocol to deny or
> redirect https to http outside of '/admin'? Is there any built in TC
> mechanism or suggested best practice to handle this? or should I not care?
We use two-factor authentification with SSL - but I think in your case
this can be helpful too - not a big difference.
Try look at this:
http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite
> Best,
> John
>
Arseny.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL on one subdirectory only.
Posted by John Smith <to...@gmail.com>.
On Tue, May 27, 2014 at 2:21 PM, Mark Thomas <ma...@apache.org> wrote:
> On 27/05/2014 17:31, John Smith wrote:
> > Tomcat 7.0.42, RHEL6, JDK1.7.0_25, Standalone TC configuration. IPTABLES
> > route port 80 to 8080
> >
> > I've got a subdirectory like 'www.mysite.com/admin' that I want to put
> > under FORM based authentication. That's clear enough, and I've got the
> java
> > keytool cert working well enough on my dev box until I get one from a CA.
> >
> > Couple of questions:
> >
> > 1. Anyone familiar with any problems routing 443 to 8443 on *nix boxes
> for
> > TC SSL certs? It's preferable to not have my end users needing port
> > numbers. The cert doesn't care about the port, IIRC.
>
> Should be fine.
>
> > 2. With the SSL connector enabled, https://* is globally respected on
> the
> > entire webapp. Do I need to manually check the URL/protocol to deny or
> > redirect https to http outside of '/admin'? Is there any built in TC
> > mechanism or suggested best practice to handle this? or should I not
> care?
>
> Nothing to automatically handle https -> http. Unless it causes an
> issue, I'd just leave it.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Mark, Thanks and appreciated, as always.
Re: SSL on one subdirectory only.
Posted by Mark Thomas <ma...@apache.org>.
On 27/05/2014 17:31, John Smith wrote:
> Tomcat 7.0.42, RHEL6, JDK1.7.0_25, Standalone TC configuration. IPTABLES
> route port 80 to 8080
>
> I've got a subdirectory like 'www.mysite.com/admin' that I want to put
> under FORM based authentication. That's clear enough, and I've got the java
> keytool cert working well enough on my dev box until I get one from a CA.
>
> Couple of questions:
>
> 1. Anyone familiar with any problems routing 443 to 8443 on *nix boxes for
> TC SSL certs? It's preferable to not have my end users needing port
> numbers. The cert doesn't care about the port, IIRC.
Should be fine.
> 2. With the SSL connector enabled, https://* is globally respected on the
> entire webapp. Do I need to manually check the URL/protocol to deny or
> redirect https to http outside of '/admin'? Is there any built in TC
> mechanism or suggested best practice to handle this? or should I not care?
Nothing to automatically handle https -> http. Unless it causes an
issue, I'd just leave it.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org