You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Julio César Chaves Fernández <he...@hotmail.com> on 2008/08/08 18:25:17 UTC
https & j_security_check
Hi, I have an issue with both https and j_secutiry_check... i've an application that works fine with only authentication (j_security_check) but when I try to access with https the application redirects the browser to the form-login page that is set in the web.xml file. The curious thing is that when the password is wrong the redirection is to the form-error page defined in the web.xml file. So, I was hoping you could give me some sort of advice or where could I start looking to know why it behaves like that. Thanks for reading. Sincerely, Julio César Chaves
_________________________________________________________________
Explore the seven wonders of the world
http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE
RE: https & j_security_check now really Solved :P
Posted by Patrick Markiewicz <pm...@sim-gtech.com>.
Do I need to configure separate connectors for the isapi_redirect.dll to = work properly? I realize that this discussion is about apache, and not = iis, but I've had no ability to connect to = https://<SAMPLE-DOMAIN>.com:8443/examples, and I can't understand why.
Patrick
-----Original Message-----
From: Julio César Chaves Fernández [mailto:henf1@hotmail.com]
Sent: Wednesday, August 20, 2008 12:33 AM
To: Tomcat Users List
Subject: RE: https & j_security_check now really Solved :P
Hi,
Yes, it worked with only that connector ... the requests that came from http over apache and went to the AJP connector were redirected by te port defined as redirectPort in the connector...so changing this to 443 as in the second scheme you propose did the job...thanks for helping and again my apologies for all the trouble or headaches caused ;).
Julio César
> Date: Tue, 19 Aug 2008 13:14:51 -0400> From: chris@christopherschultz.net> To: users@tomcat.apache.org> Subject: Re: https & j_security_check apparently Solved :P> > -----BEGIN PGP SIGNED MESSAGE-----> Hash: SHA1> > Julio,> > Julio César Chaves Fernández wrote:> > I'm sorry but i read the previous question and now that i notice i> > doesn't make any sense given that apache is connecting tomcat by AJP> > connector ... the question would be if there is a way to redirect a> > request over http for an application that has a confidential> > transport guarantee defined in the application not through the port> > defined in the AJP connector but by port 443?> > If you want all traffic to be handled by Apache httpd and mod_jk in this> way:> > Client --- HTTP (80) ---> Apache httpd --- AJP (8100) ---> Tomcat> Client --- HTTPS (443) ---> Apache httpd --- AJP (8100) ---> Tomcat> > Then you need only a single connector:> > <Connector port="8100" protocol="AJP/1.3" />> > (Plus any other settings you want to add).> > Apache httpd will handle all of the HTTPS stuff for you. Remove all> other connectors from Tomcat.> > If you want to be able to support alternate ports that go directly to> Tomcat, like this:> > Client --- HTTP (80) ---> Tomcat> Client --- HTTPS (443) ---> Tomcat> > Then you will need two connectors:> > <Connector port="80" />> <Connector port="443" scheme="https" sslProtocol="TLS"/>> > (Plus any other settings you want to add).> > If you want to support both configurations at the same time, you will> need 3 connectors, but each with unique port numbers. Something like this:> > Client --- HTTP (80) ---> Apache httpd --- AJP (8100) ---> Tomcat> Client --- HTTPS (443) ---> Apache httpd --- AJP (8100) ---> Tomcat> Client --- HTTP (8080) ---> Tomcat> Client --- HTTPS (8443) ---> Tomcat> > <Connector port="8100" protocol="AJP/1.3" /> <!-- for AJP -->> <Connector port="8080" redirectPort="8443" /> <!-- for HTTP -->> <Connector port="8443" scheme="https" sslProtocol="TLS"/>> > If you want to use port 443 as the redirect port for your 8080> connector, then go ahead and do it. However, to me it only makes sense> to support /either/ direct-to-Tomcat /or/ via-Apache-httpd configurations.> > - -chris> > -----BEGIN PGP SIGNATURE-----> Version: GnuPG v1.4.9 (MingW32)> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org> > iEYEARECAAYFAkiq/4sACgkQ9CaO5/Lv0PC7dwCgky/b57zH2RYKBc14jPo1mNXQ> /g8AnAhjkevlaEyaoG0B7Pz3txgn8FFp> =BhcA> -----END PGP SIGNATURE-----> > ---------------------------------------------------------------------> To start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org> For additional commands, e-mail: users-help@tomcat.apache.org>
_________________________________________________________________
Connect to the next generation of MSN Messenger
http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: https & j_security_check now really Solved :P
Posted by Julio César Chaves Fernández <he...@hotmail.com>.
Hi,
Yes, it worked with only that connector ... the requests that came from http over apache and went to the AJP connector were redirected by te port defined as redirectPort in the connector...so changing this to 443 as in the second scheme you propose did the job...thanks for helping and again my apologies for all the trouble or headaches caused ;).
Julio César
> Date: Tue, 19 Aug 2008 13:14:51 -0400> From: chris@christopherschultz.net> To: users@tomcat.apache.org> Subject: Re: https & j_security_check apparently Solved :P> > -----BEGIN PGP SIGNED MESSAGE-----> Hash: SHA1> > Julio,> > Julio César Chaves Fernández wrote:> > I'm sorry but i read the previous question and now that i notice i> > doesn't make any sense given that apache is connecting tomcat by AJP> > connector ... the question would be if there is a way to redirect a> > request over http for an application that has a confidential> > transport guarantee defined in the application not through the port> > defined in the AJP connector but by port 443?> > If you want all traffic to be handled by Apache httpd and mod_jk in this> way:> > Client --- HTTP (80) ---> Apache httpd --- AJP (8100) ---> Tomcat> Client --- HTTPS (443) ---> Apache httpd --- AJP (8100) ---> Tomcat> > Then you need only a single connector:> > <Connector port="8100" protocol="AJP/1.3" />> > (Plus any other settings you want to add).> > Apache httpd will handle all of the HTTPS stuff for you. Remove all> other connectors from Tomcat.> > If you want to be able to support alternate ports that go directly to> Tomcat, like this:> > Client --- HTTP (80) ---> Tomcat> Client --- HTTPS (443) ---> Tomcat> > Then you will need two connectors:> > <Connector port="80" />> <Connector port="443" scheme="https" sslProtocol="TLS"/>> > (Plus any other settings you want to add).> > If you want to support both configurations at the same time, you will> need 3 connectors, but each with unique port numbers. Something like this:> > Client --- HTTP (80) ---> Apache httpd --- AJP (8100) ---> Tomcat> Client --- HTTPS (443) ---> Apache httpd --- AJP (8100) ---> Tomcat> Client --- HTTP (8080) ---> Tomcat> Client --- HTTPS (8443) ---> Tomcat> > <Connector port="8100" protocol="AJP/1.3" /> <!-- for AJP -->> <Connector port="8080" redirectPort="8443" /> <!-- for HTTP -->> <Connector port="8443" scheme="https" sslProtocol="TLS"/>> > If you want to use port 443 as the redirect port for your 8080> connector, then go ahead and do it. However, to me it only makes sense> to support /either/ direct-to-Tomcat /or/ via-Apache-httpd configurations.> > - -chris> > -----BEGIN PGP SIGNATURE-----> Version: GnuPG v1.4.9 (MingW32)> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org> > iEYEARECAAYFAkiq/4sACgkQ9CaO5/Lv0PC7dwCgky/b57zH2RYKBc14jPo1mNXQ> /g8AnAhjkevlaEyaoG0B7Pz3txgn8FFp> =BhcA> -----END PGP SIGNATURE-----> > ---------------------------------------------------------------------> To start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org> For additional commands, e-mail: users-help@tomcat.apache.org>
_________________________________________________________________
Connect to the next generation of MSN Messenger
http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline
Re: https & j_security_check apparently Solved :P
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Julio,
Julio César Chaves Fernández wrote:
> I'm sorry but i read the previous question and now that i notice i
> doesn't make any sense given that apache is connecting tomcat by AJP
> connector ... the question would be if there is a way to redirect a
> request over http for an application that has a confidential
> transport guarantee defined in the application not through the port
> defined in the AJP connector but by port 443?
If you want all traffic to be handled by Apache httpd and mod_jk in this
way:
Client --- HTTP (80) ---> Apache httpd --- AJP (8100) ---> Tomcat
Client --- HTTPS (443) ---> Apache httpd --- AJP (8100) ---> Tomcat
Then you need only a single connector:
<Connector port="8100" protocol="AJP/1.3" />
(Plus any other settings you want to add).
Apache httpd will handle all of the HTTPS stuff for you. Remove all
other connectors from Tomcat.
If you want to be able to support alternate ports that go directly to
Tomcat, like this:
Client --- HTTP (80) ---> Tomcat
Client --- HTTPS (443) ---> Tomcat
Then you will need two connectors:
<Connector port="80" />
<Connector port="443" scheme="https" sslProtocol="TLS"/>
(Plus any other settings you want to add).
If you want to support both configurations at the same time, you will
need 3 connectors, but each with unique port numbers. Something like this:
Client --- HTTP (80) ---> Apache httpd --- AJP (8100) ---> Tomcat
Client --- HTTPS (443) ---> Apache httpd --- AJP (8100) ---> Tomcat
Client --- HTTP (8080) ---> Tomcat
Client --- HTTPS (8443) ---> Tomcat
<Connector port="8100" protocol="AJP/1.3" /> <!-- for AJP -->
<Connector port="8080" redirectPort="8443" /> <!-- for HTTP -->
<Connector port="8443" scheme="https" sslProtocol="TLS"/>
If you want to use port 443 as the redirect port for your 8080
connector, then go ahead and do it. However, to me it only makes sense
to support /either/ direct-to-Tomcat /or/ via-Apache-httpd configurations.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkiq/4sACgkQ9CaO5/Lv0PC7dwCgky/b57zH2RYKBc14jPo1mNXQ
/g8AnAhjkevlaEyaoG0B7Pz3txgn8FFp
=BhcA
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: https & j_security_check apparently Solved :P
Posted by Julio César Chaves Fernández <he...@hotmail.com>.
Hi,
I'm sorry but i read the previous question and now that i notice i doesn't make any sense given that apache is connecting tomcat by AJP connector ... the question would be if there is a way to redirect a request over http for an application that has a confidential transport guarantee defined in the application not through the port defined in the AJP connector but by port 443?
TIA,
Julio César
> From: henf1@hotmail.com> To: users@tomcat.apache.org> Subject: RE: https & j_security_check apparently Solved :P> Date: Tue, 19 Aug 2008 10:05:27 -0500> > Hi,> > Well, when i access the application over the AJP connector it does what it's suppossed to ... redirect it by the redirect port defined in the connector on the server.xml file. Its just that https is over port 443, so when it redirects by port 8463 defined in the AJP connector it gets a timeout error. Apache sends its requests to the connector with the port 8100 I assume ... so if i define a redirect port with 443 in it would it work ?> > TIA,> > Julio César> > > > > Date: Fri, 15 Aug 2008 13:07:33 -0400> From: chris@christopherschultz.net> To: users@tomcat.apache.org> Subject: Re: https & j_security_check apparently Solved :P> > -----BEGIN PGP SIGNED MESSAGE-----> Hash: SHA1> > Julio,> > Julio César Chaves Fernández wrote:> > the access is over Apache through the mod_jk connector (the one that> > connects with AJP13), and mapping with httpd.conf, but its also> > accessed by ports 8100 and 8443.> > I think you might reduce confusion if you debug one connector setup at a> time. If you access your web application exclusively through Apache/AJP,> does the application behave in the way you expect?> > - -chris> > -----BEGIN PGP SIGNATURE-----> Version: GnuPG v1.4.9 (MingW32)> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org> > iEYEARECAAYFAkilt9UACgkQ9CaO5/Lv0PCesACgkPPuZfbXi1JytUPG8JNN+/5s> lAsAoKvBxJGtvVAdGL+gCXdqDYjYNdt/> =kJ9R> -----END PGP SIGNATURE-----> > ---------------------------------------------------------------------> _________________________________________________________________> Explore the seven wonders of the world> http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE
_________________________________________________________________
Explore the seven wonders of the world
http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE
Re: https & j_security_check apparently Solved :P
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Julio,
Julio César Chaves Fernández wrote:
> Well, when i access the application over the AJP connector it does
> what it's supposed to ... redirect it by the redirect port defined in
> the connector on the server.xml file.
Good.
> Its just that https is over port 443, so when it redirects by port
> 8463 defined in the AJP connector it gets a timeout error.
You should not define the redirect port to be 8463, then. AJP has no SSL
equivalent. Set the redirect port for the AJP connector to whatever the
SSL port /should be/ for the user.
> Apache sends its requests to the connector with the port 8100 I
> assume ... so if i define a redirect port with 443 in it would it
> work ?
The default redirect port should be 443 (which should actually append
/no/ port, since the default HTTPS port is 443). I would imagine that
this will work.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkiq/V8ACgkQ9CaO5/Lv0PByDACeMzLMwnhde5E3Cyly+bdceOYp
UbgAn2ctktlwtWJFM8C63C5N5j86JfLo
=dOsC
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: https & j_security_check apparently Solved :P
Posted by Julio César Chaves Fernández <he...@hotmail.com>.
Hi,
Well, when i access the application over the AJP connector it does what it's suppossed to ... redirect it by the redirect port defined in the connector on the server.xml file. Its just that https is over port 443, so when it redirects by port 8463 defined in the AJP connector it gets a timeout error. Apache sends its requests to the connector with the port 8100 I assume ... so if i define a redirect port with 443 in it would it work ?
TIA,
Julio César
> Date: Fri, 15 Aug 2008 13:07:33 -0400> From: chris@christopherschultz.net> To: users@tomcat.apache.org> Subject: Re: https & j_security_check apparently Solved :P> > -----BEGIN PGP SIGNED MESSAGE-----> Hash: SHA1> > Julio,> > Julio César Chaves Fernández wrote:> > the access is over Apache through the mod_jk connector (the one that> > connects with AJP13), and mapping with httpd.conf, but its also> > accessed by ports 8100 and 8443.> > I think you might reduce confusion if you debug one connector setup at a> time. If you access your web application exclusively through Apache/AJP,> does the application behave in the way you expect?> > - -chris> > -----BEGIN PGP SIGNATURE-----> Version: GnuPG v1.4.9 (MingW32)> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org> > iEYEARECAAYFAkilt9UACgkQ9CaO5/Lv0PCesACgkPPuZfbXi1JytUPG8JNN+/5s> lAsAoKvBxJGtvVAdGL+gCXdqDYjYNdt/> =kJ9R> -----END PGP SIGNATURE-----> > ---------------------------------------------------------------------
_________________________________________________________________
Explore the seven wonders of the world
http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE
Re: https & j_security_check apparently Solved :P
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Julio,
Julio César Chaves Fernández wrote:
> the access is over Apache through the mod_jk connector (the one that
> connects with AJP13), and mapping with httpd.conf, but its also
> accessed by ports 8100 and 8443.
I think you might reduce confusion if you debug one connector setup at a
time. If you access your web application exclusively through Apache/AJP,
does the application behave in the way you expect?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkilt9UACgkQ9CaO5/Lv0PCesACgkPPuZfbXi1JytUPG8JNN+/5s
lAsAoKvBxJGtvVAdGL+gCXdqDYjYNdt/
=kJ9R
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: https & j_security_check apparently Solved :P
Posted by Julio César Chaves Fernández <he...@hotmail.com>.
Hi,
the access is over Apache through the mod_jk connector (the one that connects with AJP13), and mapping with httpd.conf, but its also accessed by ports 8100 and 8443.
> Date: Fri, 15 Aug 2008 11:10:09 -0400> From: chris@christopherschultz.net> To: users@tomcat.apache.org> Subject: Re: https & j_security_check apparently Solved :P> > -----BEGIN PGP SIGNED MESSAGE-----> Hash: SHA1> > Julio,> > Julio César Chaves Fernández wrote:> > Ye, i think thats what i needed .... apparently the redirection was> > the problem ... thanks for your help and excuse my ignorance but ...> > i have this connectors:> > Can you explain what each of these connectors is for?> > I can see one HTTPS, one HTTP, and one AJP13. How are you really> accessing Tomcat?> > - -chris> -----BEGIN PGP SIGNATURE-----> Version: GnuPG v1.4.9 (MingW32)> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org> > iEYEARECAAYFAkilnFEACgkQ9CaO5/Lv0PAkzgCdEdtYw4tgxGGmV0acfIaWyHCM> e4oAoJPqTIEa/LkOjeJNeLW4cg4k/Qzv> =/WE8> -----END PGP SIGNATURE-----> > ---------------------------------------------------------------------> To start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org> For additional commands, e-mail: users-help@tomcat.apache.org>
_________________________________________________________________
Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy!
http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us
Re: https & j_security_check apparently Solved :P
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Julio,
Julio César Chaves Fernández wrote:
> Ye, i think thats what i needed .... apparently the redirection was
> the problem ... thanks for your help and excuse my ignorance but ...
> i have this connectors:
Can you explain what each of these connectors is for?
I can see one HTTPS, one HTTP, and one AJP13. How are you really
accessing Tomcat?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkilnFEACgkQ9CaO5/Lv0PAkzgCdEdtYw4tgxGGmV0acfIaWyHCM
e4oAoJPqTIEa/LkOjeJNeLW4cg4k/Qzv
=/WE8
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: https & j_security_check apparently Solved :P
Posted by Julio César Chaves Fernández <he...@hotmail.com>.
Hi,
Ye, i think thats what i needed .... apparently the redirection was the problem ... thanks for your help and excuse my ignorance but ... i have this connectors:
<Service
name="Catalina">
<Connector
URIEncoding="UTF-8"
port="8100"
minSpareThreads="25"
connectionTimeout="20000"
uRIEncoding="UTF-8"
maxThreads="300"
maxSpareThreads="75">
</Connector>
<Connector
port="8443"
scheme="https"
secure="true"
debug="0"
minSpareThreads="25"
clientAuth="false"
keystoreType="PKCS12"
keystorePass=""
maxThreads="150"
maxSpareThreads="75"
keystoreFile="/home/jakarta/tomcat-5.5.16-8100/conf/icesi.p12"
sslProtocol="TLS">
</Connector>
<Connector
port="8029"
redirectPort="8463"
protocol="AJP/1.3">
</Connector>
.
.
.
and when I used the transport-guarantee tag and try to access the page it changes the url with the connector that has the AJP/1.3 protocol associated... do you know why could this happen?
TIA,
Julio César
> Date: Thu, 14 Aug 2008 12:29:38 -0400> From: chris@christopherschultz.net> To: users@tomcat.apache.org> Subject: Re: https & j_security_check apparently Solved :P> > -----BEGIN PGP SIGNED MESSAGE-----> Hash: SHA1> > Julio,> > Julio César Chaves Fernández wrote:> > I was testing somethings within the login page that is configured in> > the web.xml file... and there was a piece of code doing a redirection> > to assure that the page is loaded over https... first i proved with a> > simple login page over https with no more than the login form ...and> > it worked as it supossed to ... then instead of insert the code to> > redirect the page over https I opened it with a url specifying https> > instead of http ... it worked ... so I changed back the form-login> > param in web.xml ... removed the redirection ... an tried again the> > same way i did with the simple login form ... and it worked ... now i> > have to ask ... did the redirection had something to do with this> > problem or do anyone know of a possible problem that can be raised> > when this is done?TIA,> > Honestly, I'm having a hard time understanding what you are doing. What> is the additional redirection for? Why not simply use> <transport-guarantee> in web.xml and let the container handle any HTTPS> requirements?> > - -chris> -----BEGIN PGP SIGNATURE-----> Version: GnuPG v1.4.9 (MingW32)> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org> > iEYEARECAAYFAkikXXIACgkQ9CaO5/Lv0PC1wgCgtUNuWDBsTqIPIjAfH64OPgv+> wf4An1rHKW4HmO15pAwckdz0msxOmLd2> =LSxR> -----END PGP SIGNATURE-----> > ---------------------------------------------------------------------> To start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org> For additional commands, e-mail: users-help@tomcat.apache.org>
_________________________________________________________________
News, entertainment and everything you care about at Live.com. Get it now!
http://www.live.com/getstarted.aspx
Re: https & j_security_check apparently Solved :P
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Julio,
Julio César Chaves Fernández wrote:
> I was testing somethings within the login page that is configured in
> the web.xml file... and there was a piece of code doing a redirection
> to assure that the page is loaded over https... first i proved with a
> simple login page over https with no more than the login form ...and
> it worked as it supossed to ... then instead of insert the code to
> redirect the page over https I opened it with a url specifying https
> instead of http ... it worked ... so I changed back the form-login
> param in web.xml ... removed the redirection ... an tried again the
> same way i did with the simple login form ... and it worked ... now i
> have to ask ... did the redirection had something to do with this
> problem or do anyone know of a possible problem that can be raised
> when this is done?TIA,
Honestly, I'm having a hard time understanding what you are doing. What
is the additional redirection for? Why not simply use
<transport-guarantee> in web.xml and let the container handle any HTTPS
requirements?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkikXXIACgkQ9CaO5/Lv0PC1wgCgtUNuWDBsTqIPIjAfH64OPgv+
wf4An1rHKW4HmO15pAwckdz0msxOmLd2
=LSxR
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: https & j_security_check apparently Solved :P
Posted by Julio César Chaves Fernández <he...@hotmail.com>.
Hi,
I was testing somethings within the login page that is configured in the web.xml file... and there was a piece of code doing a redirection to assure that the page is loaded over https... first i proved with a simple login page over https with no more than the login form ...and it worked as it supossed to ... then instead of insert the code to redirect the page over https I opened it with a url specifying https instead of http ... it worked ... so I changed back the form-login param in web.xml ... removed the redirection ... an tried again the same way i did with the simple login form ... and it worked ... now i have to ask ... did the redirection had something to do with this problem or do anyone know of a possible problem that can be raised when this is done?TIA,
Julio César
> Date: Wed, 13 Aug 2008 13:44:39 -0400> From: chris@christopherschultz.net> To: users@tomcat.apache.org> Subject: Re: https & j_security_check> > -----BEGIN PGP SIGNED MESSAGE-----> Hash: SHA1> > Julio,> > Julio César Chaves Fernández wrote:> | The 302 sends me back to the login page ... honestly i can't totally> | blame https ... i tested the applicaction with https via JSSE and it> | works (this was done in my pc)... but when i changed the application> | to another server https became the main issue where before it wasn't> | ... so i'm trying to find what the real problem is ... it's just that> | the only thing different between the working and the not working> | application is the use of https.> > If you moved the application to another server, is it possible that the> login itself is actually failing, and Tomcat is reacting correctly?> > One of my complaints about TC's authenticator is that it tends to> swallow errors. You might try to write a little test on the new server> to see if you can correctly access your user database.> > - -chris> -----BEGIN PGP SIGNATURE-----> Version: GnuPG v1.4.9 (MingW32)> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org> > iEYEARECAAYFAkijHYcACgkQ9CaO5/Lv0PCYpwCff97yGzzjteCe6NPrVmVV0XmP> 8LIAoKqGTkkbfvwIorRXRlMUa5y6KkWG> =PKpu> -----END PGP SIGNATURE-----> > ---------------------------------------------------------------------> To start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org> For additional commands, e-mail: users-help@tomcat.apache.org>
_________________________________________________________________
News, entertainment and everything you care about at Live.com. Get it now!
http://www.live.com/getstarted.aspx
Re: https & j_security_check
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Julio,
Julio César Chaves Fernández wrote:
| The 302 sends me back to the login page ... honestly i can't totally
| blame https ... i tested the applicaction with https via JSSE and it
| works (this was done in my pc)... but when i changed the application
| to another server https became the main issue where before it wasn't
| ... so i'm trying to find what the real problem is ... it's just that
| the only thing different between the working and the not working
| application is the use of https.
If you moved the application to another server, is it possible that the
login itself is actually failing, and Tomcat is reacting correctly?
One of my complaints about TC's authenticator is that it tends to
swallow errors. You might try to write a little test on the new server
to see if you can correctly access your user database.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkijHYcACgkQ9CaO5/Lv0PCYpwCff97yGzzjteCe6NPrVmVV0XmP
8LIAoKqGTkkbfvwIorRXRlMUa5y6KkWG
=PKpu
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: https & j_security_check
Posted by Julio César Chaves Fernández <he...@hotmail.com>.
The 302 sends me back to the login page ... honestly i can't totally blame https ... i tested the applicaction with https via JSSE and it works (this was done in my pc)... but when i changed the application to another server https became the main issue where before it wasn't ... so i'm trying to find what the real problem is ... it's just that the only thing different between the working and the not working application is the use of https.
Julio César
> Date: Wed, 13 Aug 2008 12:20:59 -0400> From: chris@christopherschultz.net> To: users@tomcat.apache.org> Subject: Re: https & j_security_check> > -----BEGIN PGP SIGNED MESSAGE-----> Hash: SHA1> > Julio,> > Julio César Chaves Fernández wrote:> | No i'm working with https all the time ... when it's only over http> | the application works ... it's just that i've been reading about> | something related to j_security_check and that it adds port 80 to the> | url> > Tomcat does not add port 80 to the URL. It uses whatever port was> already being used.> > | ... so i don't know if it's related to my problem... i read this> | in> |> http://www.velocityreviews.com/forums/t145712-load-balancing-an-https-java-web-application-in-tomcat.html> | ... may be i'm wrong or i don't have the right idea ... but when i> | saw that 302 the only thing that came to my mind was some problem> | related to the url and the server not finding the associated> | resources ... i'm checking if maybe thats the reason...> > Where does the 302 send you? Back to the login-error page? Are you sure> that the only difference between a working configuration and a> non-working configuration is the use of HTTPs?> > - -chris> -----BEGIN PGP SIGNATURE-----> Version: GnuPG v1.4.9 (MingW32)> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org> > iEYEARECAAYFAkijCesACgkQ9CaO5/Lv0PA3cwCfUeM4okC0y2h7QQlTcb5p4w2R> zPkAn09q7o10IodI+udoVCSLz92HDFOS> =E4Jq> -----END PGP SIGNATURE-----> > ---------------------------------------------------------------------> To start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org> For additional commands, e-mail: users-help@tomcat.apache.org>
_________________________________________________________________
News, entertainment and everything you care about at Live.com. Get it now!
http://www.live.com/getstarted.aspx
Re: https & j_security_check
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Julio,
Julio César Chaves Fernández wrote:
| No i'm working with https all the time ... when it's only over http
| the application works ... it's just that i've been reading about
| something related to j_security_check and that it adds port 80 to the
| url
Tomcat does not add port 80 to the URL. It uses whatever port was
already being used.
| ... so i don't know if it's related to my problem... i read this
| in
|
http://www.velocityreviews.com/forums/t145712-load-balancing-an-https-java-web-application-in-tomcat.html
| ... may be i'm wrong or i don't have the right idea ... but when i
| saw that 302 the only thing that came to my mind was some problem
| related to the url and the server not finding the associated
| resources ... i'm checking if maybe thats the reason...
Where does the 302 send you? Back to the login-error page? Are you sure
that the only difference between a working configuration and a
non-working configuration is the use of HTTPs?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkijCesACgkQ9CaO5/Lv0PA3cwCfUeM4okC0y2h7QQlTcb5p4w2R
zPkAn09q7o10IodI+udoVCSLz92HDFOS
=E4Jq
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: https & j_security_check
Posted by Julio César Chaves Fernández <he...@hotmail.com>.
No i'm working with https all the time ... when it's only over http the application works ... it's just that i've been reading about something related to j_security_check and that it adds port 80 to the url ... so i don't know if it's related to my problem... i read this in http://www.velocityreviews.com/forums/t145712-load-balancing-an-https-java-web-application-in-tomcat.html ... may be i'm wrong or i don't have the right idea ... but when i saw that 302 the only thing that came to my mind was some problem related to the url and the server not finding the associated resources ... i'm checking if maybe thats the reason...
Julio César
> Date: Wed, 13 Aug 2008 11:56:19 -0400> From: chris@christopherschultz.net> To: users@tomcat.apache.org> Subject: Re: https & j_security_check> > -----BEGIN PGP SIGNED MESSAGE-----> Hash: SHA1> > Julio,> > Julio César Chaves Fernández wrote:> | I was checking the http in my application and the server response is> | a 302 ... what could possibly do this when using https ... could it> | be something related to the URL ... or how could the server get> | confused given that with http it works fine.> > Are you switching between HTTP and HTTPS? Some folks try to use HTTPS> for the login and then redirect to HTTP for the rest of the application.> That doesn't work unless the session cookie has been created from a> non-secure URL. Otherwise the cookie itself is marked as "secure" and> won't be sent by your browser when you switch back to HTTP. Could this> be your problem?> > - -chris> -----BEGIN PGP SIGNATURE-----> Version: GnuPG v1.4.9 (MingW32)> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org> > iEYEARECAAYFAkijBCIACgkQ9CaO5/Lv0PD5/QCfVCw6UgMkYilZqsVUnKRQAznX> 8xwAni9vqVdMJpHV7Z0jJQoTqicT3Ct3> =hk6b> -----END PGP SIGNATURE-----> > ---------------------------------------------------------------------> To start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org> For additional commands, e-mail: users-help@tomcat.apache.org>
_________________________________________________________________
Explore the seven wonders of the world
http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE
Re: https & j_security_check
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Julio,
Julio César Chaves Fernández wrote:
| I was checking the http in my application and the server response is
| a 302 ... what could possibly do this when using https ... could it
| be something related to the URL ... or how could the server get
| confused given that with http it works fine.
Are you switching between HTTP and HTTPS? Some folks try to use HTTPS
for the login and then redirect to HTTP for the rest of the application.
That doesn't work unless the session cookie has been created from a
non-secure URL. Otherwise the cookie itself is marked as "secure" and
won't be sent by your browser when you switch back to HTTP. Could this
be your problem?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkijBCIACgkQ9CaO5/Lv0PD5/QCfVCw6UgMkYilZqsVUnKRQAznX
8xwAni9vqVdMJpHV7Z0jJQoTqicT3Ct3
=hk6b
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: https & j_security_check
Posted by Julio César Chaves Fernández <he...@hotmail.com>.
Hi,
I was checking the http in my application and the server response is a 302 ... what could possibly do this when using https ... could it be something related to the URL ... or how could the server get confused given that with http it works fine.
TIA,
Julio César
_________________________________________________________________
Discover the new Windows Vista
http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE
RE: https & j_security_check
Posted by Julio César Chaves Fernández <he...@hotmail.com>.
Yes, i'm logging over https ...without https the application authenticates the user and then calls for an action (with struts) ... but with https the application returns to the login page ... it's like nothing had happened.
> Date: Sat, 9 Aug 2008 17:37:10 +0100> From: markt@apache.org> To: users@tomcat.apache.org> Subject: Re: https & j_security_check> > Julio César Chaves Fernández wrote:> > but my problem is when the user and password are right ... i doesn't takes me to the site but leaves me again in the login page> Are you logging in over https?> > Mark> > > > ---------------------------------------------------------------------> To start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org> For additional commands, e-mail: users-help@tomcat.apache.org>
_________________________________________________________________
Connect to the next generation of MSN Messenger
http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline
Re: https & j_security_check
Posted by Mark Thomas <ma...@apache.org>.
Julio César Chaves Fernández wrote:
> but my problem is when the user and password are right ... i doesn't takes me to the site but leaves me again in the login page
Are you logging in over https?
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: https & j_security_check
Posted by Julio César Chaves Fernández <he...@hotmail.com>.
Yes, it is the way it's designed ... but my problem is when the user and password are right ... i doesn't takes me to the site but leaves me again in the login page (this when I have https, without it the application works fine)... with the redirection to the form-error page defined in the web.xml file i know that it tries to authenticate the user and if it fails everything works how it's supossed to ... with https the authentication, although correct, redirects me to the login page ... so my problem is when i have https active ... otherwise everything works perfectly.
Thanks again for helping.
Julio César
> Date: Fri, 8 Aug 2008 22:46:05 -0400> From: chris@christopherschultz.net> To: users@tomcat.apache.org> Subject: Re: https & j_security_check> > -----BEGIN PGP SIGNED MESSAGE-----> Hash: SHA1> > Julio,> > Julio César Chaves Fernández wrote:> | The curious thing is that when the password is> | wrong the redirection is to the form-error page defined in the> | web.xml file. So, I was hoping you could give me some sort of advice> | or where could I start looking to know why it behaves like that.> > Perhaps I have misunderstood your question, but what you describe above> is simply the way that form-based authentication is designed in the> servlet specification. See section 12.5.3 of the servlet specification> for the full story.> > - -chris> > -----BEGIN PGP SIGNATURE-----> Version: GnuPG v1.4.9 (MingW32)> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org> > iEYEARECAAYFAkidBO0ACgkQ9CaO5/Lv0PAL2wCfZfMx+WfG0pXRFkzC2JBIBSi6> sdkAnjhzQVfyHLESWHHFlbfLiYix4sOe> =Fy6M> -----END PGP SIGNATURE-----> > ---------------------------------------------------------------------> To start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org> For additional commands, e-mail: users-help@tomcat.apache.org>
_________________________________________________________________
Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy!
http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us
Re: https & j_security_check
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Julio,
Julio César Chaves Fernández wrote:
| The curious thing is that when the password is
| wrong the redirection is to the form-error page defined in the
| web.xml file. So, I was hoping you could give me some sort of advice
| or where could I start looking to know why it behaves like that.
Perhaps I have misunderstood your question, but what you describe above
is simply the way that form-based authentication is designed in the
servlet specification. See section 12.5.3 of the servlet specification
for the full story.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkidBO0ACgkQ9CaO5/Lv0PAL2wCfZfMx+WfG0pXRFkzC2JBIBSi6
sdkAnjhzQVfyHLESWHHFlbfLiYix4sOe
=Fy6M
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org