You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Steve Baker <en...@stevenbaker.com> on 2002/07/17 14:02:06 UTC
Redirecting HTTP -> HTTPS? (second attempt)
------------------------------------------------------------------
It appears that much of the code from my first post got wiped out.
Trying the message again here a second time. Thanks. -SB
------------------------------------------------------------------
Have any of you experienced Tomcat changing the *domain name* of the
request to "localhost" when you're trying to automatically redirect from
HTTP to HTTPS? We know that it's supposed to change the protocol and the
port, but the domain as well?
Here's the situation:
I have a directory ("db") on my site (for the sake of this email,
"www.mysite.com") that I want to protect using SSL. Additionally, I need
any wayward HTTP requests to this directory to be automatically redirected
to HTTPS to ensure that they are SSL-encrypted.
To set this up, I followed the SSL Configuration How-To, created the
keystore, and generated a private key. I then edited /conf/server.xml and
/WEB-INF/web.xml (details below) to automatically redirect those certain
HTTP requests over to HTTPS. Finally, I restarted Tomcat.
Now when I reference my HTTPS URL *directly*, SSL kicks in, the browser
padlock is locked, and everything works great:
https://www.mysite.com:8443/db/index.jsp
As I stated, however, I've configured the HTTP request:
http://www.mysite.com:8080/db/index.jsp
To automatically redirect to that HTTPS URL from above:
https://www.mysite.com:8443/db/index.jsp
BUT, for some reason, Tomcat is changing the domain to LOCALHOST:
https://localhost:8443/db/index.jsp
So... basically, Tomcat's got it about 80% right. The protocol and port
were succesfully redirected (http 8080 -> https 8443), but the domain was
changed. This instance of Tomcat is on a remote machine, *NOT* my local
machine, so localhost fails. My question -- why would Tomcat be changing
the server name in such a way?
FYI, here is the relevant code from conf/server.xml:
---------------------------------
<!-- Non-SSL Connector on Port 8080 -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8080" minProcessors="5" maxProcessors="75"
enableLookups="false" redirectPort="8443"
acceptCount="10" connectionTimeout="60000" debug="0"
scheme="http" secure="false"/>
<!-- SSL Connector on Port 8443 -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="false"
acceptCount="10" connectionTimeout="60000" debug="0"
scheme="https" secure="true">
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" protocol="TLS" />
</Connector>
<!-- Standard Engine -->
<Engine name="Standard Engine" defaultHost="www.mysite.com" debug="0">
<Host name="www.mysite.com"
appBase="/home/baker/jbaker/web"
debug="0"
unpackWARs="false">
<Context path="" docBase="" debug="0" reloadable="true"/>
</Host>
</Engine>
---------------------------------
Here is the relevant code from web.xml:
---------------------------------
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure SSL Access</web-resource-name>
<url-pattern>/db/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
---------------------------------
Note that I have:
* uncommented the SSL connector
* properly set the HTTP connector's redirectPort to SSL's 8443
* changed the Engine's defaulthost to www.mysite.com
* changed the Host's name to www.mysite.com
* set the url-pattern match to /db/* in web.xml
* added the CONFIDENTIAL transport-guarantee
Nothing really extraordinary here. Moreover, a grep for "localhost" in
both of these files returns zero results. I'm just not sure where it's
coming from ... especially when Tomcat seems to be doing everything *else*
correctly here.
Any ideas? Thanks in advance!!
-Steve Baker
p.s. Performing a brute force solution such as:
--------------------
if (request.getScheme().equals("http")) {
// oops! response.Redirect() to the https URL instead.
}
--------------------
... at the top of every .jsp in my HTTPS-only directory isn't going to be
the right choice for this particular project. I will eventually employ
that as a backup to ensure security, but I don't wish to go with that as my
first line of defense...
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Redirecting HTTP -> HTTPS? (second attempt)
Posted by Steve Baker <en...@stevenbaker.com>.
>I think you left somewhere in your conf-files a "localhost". I had the
>same error working on Apache and Tomcat and after some searching I found
>out that I forgot to modify httpd.conf in a way that my server no
>longer was the localhost but had a real name.
Right. In all of the information I gave, I failed to include that Apache
is connected to Tomcat for this. Tomcat isn't running as a
standalone. Thanks for your response, Nick, I think you're probably right
(or at least, you're close), but I can't check at this moment to make
sure. I'll contact the server admin and see what he thinks. Since
localhost does not appear in any of the descriptor files on the Tomcat side
of things (I've grepped and grepped and grepped, as I mentioned), my only
guess is that, in this instance, the issue is rooted in Apache.
Can anybody vouch for what Nick has suggested?
The issue now is that it's a virtual host, so explicitly specifying *my*
particular domain as the machine name in httpd.conf isn't going to
happen. :-) If what you said above is correct, though, my next question
would be... are there any additional options that I have on the Tomcat side
of things to make this redirect stay within the same domain name? (Again,
outside of building that type of redirect into each of the JSPs and
servlets themselves.)
Right about now, it sure would be nice for Tomcat to have some more control
over this, e.g. in the configuration for each Host. :) Similar to
"redirectPort" in Connector, Tomcat would use the value of an optional,
user-specified attribute as the domain to send all of its SSL redirects for
that host:
<Host name="foo.mysite.com" redirectHost="foo.mysite.com"
appBase="/myapp/web" debug="0" unpackWARs="false">
[...]
</Host>
Heh, now, I don't want this discussion to be about the merits of such an
option, I'm just hoping there's something *like it* out there in some other
place that I'm missing, could replicate, etc. This
domain-being-rewritten-as-localhost business is a bit maddening.
Thanks for any help you all can offer,
-Steve
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Redirecting HTTP -> HTTPS? (second attempt)
Posted by "Nikolas A. Rathert" <ni...@igd.fhg.de>.
Sorry,
I just answered on a mail where some of the original text was missing. I
just saw that you searched for the string in every part.
Then I do not have any idea. Could this problem be a result of
src-compilation? I have no idea.
Cheers,
Nick
Nikolas A. Rathert wrote:
> Hi,
> I think you left somewhere in your conf-files a "localhost". I had the
> same error working on Apache and Tomcat and after some searching I found
> out that I forgot to modify httpd.conf in a way that my server no longer
> was the localhost but had a real name.
>
> I suggest, that you scan your conf-files for the string "localhost" .
> That must be the cause for the error.
>
> Cheers,
>
> Nick
>
> Steve Baker wrote:
>
>> ------------------------------------------------------------------
>> It appears that much of the code from my first post got wiped out.
>> Trying the message again here a second time. Thanks. -SB
>> ------------------------------------------------------------------
>>
>> Have any of you experienced Tomcat changing the *domain name* of the
>> request to "localhost" when you're trying to automatically redirect
>> from HTTP to HTTPS? We know that it's supposed to change the protocol
>> and the port, but the domain as well?
>>
>> Here's the situation:
>> I have a directory ("db") on my site (for the sake of this email,
>> "www.mysite.com") that I want to protect using SSL. Additionally, I
>> need any wayward HTTP requests to this directory to be automatically
>> redirected to HTTPS to ensure that they are SSL-encrypted.
>>
>> To set this up, I followed the SSL Configuration How-To, created the
>> keystore, and generated a private key. I then edited /conf/server.xml
>> and /WEB-INF/web.xml (details below) to automatically redirect those
>> certain HTTP requests over to HTTPS. Finally, I restarted Tomcat.
>>
>> Now when I reference my HTTPS URL *directly*, SSL kicks in, the
>> browser padlock is locked, and everything works great:
>> https://www.mysite.com:8443/db/index.jsp
>>
>> As I stated, however, I've configured the HTTP request:
>> http://www.mysite.com:8080/db/index.jsp
>>
>> To automatically redirect to that HTTPS URL from above:
>> https://www.mysite.com:8443/db/index.jsp
>>
>> BUT, for some reason, Tomcat is changing the domain to LOCALHOST:
>> https://localhost:8443/db/index.jsp
>>
>> So... basically, Tomcat's got it about 80% right. The protocol and
>> port were succesfully redirected (http 8080 -> https 8443), but the
>> domain was changed. This instance of Tomcat is on a remote machine,
>> *NOT* my local machine, so localhost fails. My question -- why would
>> Tomcat be changing the server name in such a way?
>>
>>
>> FYI, here is the relevant code from conf/server.xml:
>> ---------------------------------
>> <!-- Non-SSL Connector on Port 8080 -->
>> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
>> port="8080" minProcessors="5" maxProcessors="75"
>> enableLookups="false" redirectPort="8443"
>> acceptCount="10" connectionTimeout="60000" debug="0"
>> scheme="http" secure="false"/>
>>
>> <!-- SSL Connector on Port 8443 -->
>> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
>> port="8443" minProcessors="5" maxProcessors="75"
>> enableLookups="false"
>> acceptCount="10" connectionTimeout="60000" debug="0"
>> scheme="https" secure="true">
>> <Factory
>> className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>> clientAuth="false" protocol="TLS" />
>> </Connector>
>>
>> <!-- Standard Engine -->
>> <Engine name="Standard Engine" defaultHost="www.mysite.com" debug="0">
>> <Host name="www.mysite.com"
>> appBase="/home/baker/jbaker/web"
>> debug="0"
>> unpackWARs="false">
>> <Context path="" docBase="" debug="0" reloadable="true"/>
>> </Host>
>> </Engine>
>> ---------------------------------
>>
>>
>> Here is the relevant code from web.xml:
>> ---------------------------------
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Secure SSL Access</web-resource-name>
>> <url-pattern>/db/*</url-pattern>
>> </web-resource-collection>
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint>
>> </security-constraint>
>> ---------------------------------
>>
>> Note that I have:
>> * uncommented the SSL connector
>> * properly set the HTTP connector's redirectPort to SSL's 8443
>> * changed the Engine's defaulthost to www.mysite.com
>> * changed the Host's name to www.mysite.com
>> * set the url-pattern match to /db/* in web.xml
>> * added the CONFIDENTIAL transport-guarantee
>>
>> Nothing really extraordinary here. Moreover, a grep for "localhost"
>> in both of these files returns zero results. I'm just not sure where
>> it's coming from ... especially when Tomcat seems to be doing
>> everything *else* correctly here.
>>
>> Any ideas? Thanks in advance!!
>>
>> -Steve Baker
>>
>>
>> p.s. Performing a brute force solution such as:
>> --------------------
>> if (request.getScheme().equals("http")) {
>> // oops! response.Redirect() to the https URL instead.
>> }
>> --------------------
>> ... at the top of every .jsp in my HTTPS-only directory isn't going to
>> be the right choice for this particular project. I will eventually
>> employ that as a backup to ensure security, but I don't wish to go
>> with that as my first line of defense...
>>
>>
>>
>> --
>> To unsubscribe, e-mail:
>> <ma...@jakarta.apache.org>
>> For additional commands, e-mail:
>> <mailto:tomcat-user-help@jakarta.apache.org
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Redirecting HTTP -> HTTPS? (second attempt)
Posted by "Nikolas A. Rathert" <ni...@igd.fhg.de>.
Hi,
I think you left somewhere in your conf-files a "localhost". I had the
same error working on Apache and Tomcat and after some searching I found
out that I forgot to modify httpd.conf in a way that my server no longer
was the localhost but had a real name.
I suggest, that you scan your conf-files for the string "localhost" .
That must be the cause for the error.
Cheers,
Nick
Steve Baker wrote:
> ------------------------------------------------------------------
> It appears that much of the code from my first post got wiped out.
> Trying the message again here a second time. Thanks. -SB
> ------------------------------------------------------------------
>
> Have any of you experienced Tomcat changing the *domain name* of the
> request to "localhost" when you're trying to automatically redirect from
> HTTP to HTTPS? We know that it's supposed to change the protocol and the
> port, but the domain as well?
>
> Here's the situation:
> I have a directory ("db") on my site (for the sake of this email,
> "www.mysite.com") that I want to protect using SSL. Additionally, I
> need any wayward HTTP requests to this directory to be automatically
> redirected to HTTPS to ensure that they are SSL-encrypted.
>
> To set this up, I followed the SSL Configuration How-To, created the
> keystore, and generated a private key. I then edited /conf/server.xml
> and /WEB-INF/web.xml (details below) to automatically redirect those
> certain HTTP requests over to HTTPS. Finally, I restarted Tomcat.
>
> Now when I reference my HTTPS URL *directly*, SSL kicks in, the browser
> padlock is locked, and everything works great:
> https://www.mysite.com:8443/db/index.jsp
>
> As I stated, however, I've configured the HTTP request:
> http://www.mysite.com:8080/db/index.jsp
>
> To automatically redirect to that HTTPS URL from above:
> https://www.mysite.com:8443/db/index.jsp
>
> BUT, for some reason, Tomcat is changing the domain to LOCALHOST:
> https://localhost:8443/db/index.jsp
>
> So... basically, Tomcat's got it about 80% right. The protocol and port
> were succesfully redirected (http 8080 -> https 8443), but the domain
> was changed. This instance of Tomcat is on a remote machine, *NOT* my
> local machine, so localhost fails. My question -- why would Tomcat be
> changing the server name in such a way?
>
>
> FYI, here is the relevant code from conf/server.xml:
> ---------------------------------
> <!-- Non-SSL Connector on Port 8080 -->
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8080" minProcessors="5" maxProcessors="75"
> enableLookups="false" redirectPort="8443"
> acceptCount="10" connectionTimeout="60000" debug="0"
> scheme="http" secure="false"/>
>
> <!-- SSL Connector on Port 8443 -->
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8443" minProcessors="5" maxProcessors="75"
> enableLookups="false"
> acceptCount="10" connectionTimeout="60000" debug="0"
> scheme="https" secure="true">
> <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> clientAuth="false" protocol="TLS" />
> </Connector>
>
> <!-- Standard Engine -->
> <Engine name="Standard Engine" defaultHost="www.mysite.com" debug="0">
> <Host name="www.mysite.com"
> appBase="/home/baker/jbaker/web"
> debug="0"
> unpackWARs="false">
> <Context path="" docBase="" debug="0" reloadable="true"/>
> </Host>
> </Engine>
> ---------------------------------
>
>
> Here is the relevant code from web.xml:
> ---------------------------------
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Secure SSL Access</web-resource-name>
> <url-pattern>/db/*</url-pattern>
> </web-resource-collection>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> ---------------------------------
>
> Note that I have:
> * uncommented the SSL connector
> * properly set the HTTP connector's redirectPort to SSL's 8443
> * changed the Engine's defaulthost to www.mysite.com
> * changed the Host's name to www.mysite.com
> * set the url-pattern match to /db/* in web.xml
> * added the CONFIDENTIAL transport-guarantee
>
> Nothing really extraordinary here. Moreover, a grep for "localhost" in
> both of these files returns zero results. I'm just not sure where it's
> coming from ... especially when Tomcat seems to be doing everything
> *else* correctly here.
>
> Any ideas? Thanks in advance!!
>
> -Steve Baker
>
>
> p.s. Performing a brute force solution such as:
> --------------------
> if (request.getScheme().equals("http")) {
> // oops! response.Redirect() to the https URL instead.
> }
> --------------------
> ... at the top of every .jsp in my HTTPS-only directory isn't going to
> be the right choice for this particular project. I will eventually
> employ that as a backup to ensure security, but I don't wish to go with
> that as my first line of defense...
>
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
--
Nikolas A. Rathert
Fraunhofer Institute for Computer Graphics
e-Learning & Knowledge Management
Fraunhoferstrasse 5
D-64283 Darmstadt
Germany
Fon +49 6151 155 552
Fax +49 6151 155 569
email: nikolas.rathert@igd.fhg.de
www: http://www.igd.fhg.de
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Redirecting HTTP -> HTTPS? (second attempt)
Posted by Stuart Stephen <sw...@swadge.co.uk>.
you could use javascript on your non secure http page?
<script language="javascript">
window.location = 'https://www.sitename.com'
</script>
That would do the trick
Stevie
-----Original Message-----
From: Steve Baker [mailto:engineer@stevenbaker.com]
Sent: 17 July 2002 13:02
To: tomcat-user@jakarta.apache.org
Subject: Redirecting HTTP -> HTTPS? (second attempt)
------------------------------------------------------------------
It appears that much of the code from my first post got wiped out.
Trying the message again here a second time. Thanks. -SB
------------------------------------------------------------------
Have any of you experienced Tomcat changing the *domain name* of the
request to "localhost" when you're trying to automatically redirect from
HTTP to HTTPS? We know that it's supposed to change the protocol and the
port, but the domain as well?
Here's the situation:
I have a directory ("db") on my site (for the sake of this email,
"www.mysite.com") that I want to protect using SSL. Additionally, I need
any wayward HTTP requests to this directory to be automatically redirected
to HTTPS to ensure that they are SSL-encrypted.
To set this up, I followed the SSL Configuration How-To, created the
keystore, and generated a private key. I then edited /conf/server.xml and
/WEB-INF/web.xml (details below) to automatically redirect those certain
HTTP requests over to HTTPS. Finally, I restarted Tomcat.
Now when I reference my HTTPS URL *directly*, SSL kicks in, the browser
padlock is locked, and everything works great:
https://www.mysite.com:8443/db/index.jsp
As I stated, however, I've configured the HTTP request:
http://www.mysite.com:8080/db/index.jsp
To automatically redirect to that HTTPS URL from above:
https://www.mysite.com:8443/db/index.jsp
BUT, for some reason, Tomcat is changing the domain to LOCALHOST:
https://localhost:8443/db/index.jsp
So... basically, Tomcat's got it about 80% right. The protocol and port
were succesfully redirected (http 8080 -> https 8443), but the domain was
changed. This instance of Tomcat is on a remote machine, *NOT* my local
machine, so localhost fails. My question -- why would Tomcat be changing
the server name in such a way?
FYI, here is the relevant code from conf/server.xml:
---------------------------------
<!-- Non-SSL Connector on Port 8080 -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8080" minProcessors="5" maxProcessors="75"
enableLookups="false" redirectPort="8443"
acceptCount="10" connectionTimeout="60000" debug="0"
scheme="http" secure="false"/>
<!-- SSL Connector on Port 8443 -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="false"
acceptCount="10" connectionTimeout="60000" debug="0"
scheme="https" secure="true">
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" protocol="TLS" />
</Connector>
<!-- Standard Engine -->
<Engine name="Standard Engine" defaultHost="www.mysite.com" debug="0">
<Host name="www.mysite.com"
appBase="/home/baker/jbaker/web"
debug="0"
unpackWARs="false">
<Context path="" docBase="" debug="0" reloadable="true"/>
</Host>
</Engine>
---------------------------------
Here is the relevant code from web.xml:
---------------------------------
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure SSL Access</web-resource-name>
<url-pattern>/db/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
---------------------------------
Note that I have:
* uncommented the SSL connector
* properly set the HTTP connector's redirectPort to SSL's 8443
* changed the Engine's defaulthost to www.mysite.com
* changed the Host's name to www.mysite.com
* set the url-pattern match to /db/* in web.xml
* added the CONFIDENTIAL transport-guarantee
Nothing really extraordinary here. Moreover, a grep for "localhost" in
both of these files returns zero results. I'm just not sure where it's
coming from ... especially when Tomcat seems to be doing everything *else*
correctly here.
Any ideas? Thanks in advance!!
-Steve Baker
p.s. Performing a brute force solution such as:
--------------------
if (request.getScheme().equals("http")) {
// oops! response.Redirect() to the https URL instead.
}
--------------------
... at the top of every .jsp in my HTTPS-only directory isn't going to be
the right choice for this particular project. I will eventually employ
that as a backup to ensure security, but I don't wish to go with that as my
first line of defense...
--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>