You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by James_sys <ja...@mysparekey.co.uk> on 2005/01/10 16:17:09 UTC
Problem getting http redirected to https
Hi,
I've been wrestling with SSL on Tomcat for a while now. Hope you can offer
some useful pointers.
My problem is around getting http requests auto-redirected to return an
https response.
I can request https://exampleServer.com:8443/testPage.html and get an
encrypted response.
However, if I request http://exampleServer.com:8080/testPage.html I see an
HTTP 500 "internal error" message. I was expecting the server to internally
redirect the request to https://... and return an encrypted response.
I've configured a security-constraint in web.xml for testPage.html. I've
checked the servlet and catalina logs but don't see any errors or warnings.
I'm working with Tomcat 4.1.30 on a FreeBSD v4.7 platform. I know these are
old versions, but I'm constrained by other dependencies in the Production
environment.
Apologies if this is a common problem - I have checked the archives but
didn't find what I need.
Thanks for any help.
Regards,
James.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Problem getting http redirected to https
Posted by James_sys <ja...@mysparekey.co.uk>.
I've managed to find a solution to this problem. I expect it only really
applied to Tomcat 4.1x and jdk1.3. For completeness (and to help out any
people with a similar problem in the future) here's what was needed.
Tomcat 4.1 and jdk1.3 work fine. However, the default configuration at
installation is missing a couple of crucial details.
1. In $JAVA_HOME\jre\lib\security\java.security these entries are needed:
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
security.provider.3=com.sun.rsajca.Provider
The default jdk1.4 config excludes security.provider.2.
2. At runtime use -D on the JVM startup (or issue a System.setProperty call
from within your web app) to define the https protocol package as follows:
-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
Tomcat 4.1 doesn't seem to include this initialisation call as part of its
default initialisation.
With these two changes, http -> https worked as expected.
-----Original Message-----
From: James_sys [mailto:james_sys@mysparekey.co.uk]
Sent: 11 January 2005 10:42
To: Tomcat Users List
Subject: RE: Problem getting http redirected to https
Thanks, Mark - good point. I've attached relevant snippets from web.xml &
server.xml below.
I've also tried an equivalent configuration on Tomcat 5, jdk 1.4, Win 2k.
Interestingly, this worked fine.
My on-going quest for a solution under Tomcat 4.1, jdk 1.3, FreeBSD 4.7
threw up a couple of interesting comments from people on other groups:
- One observation was that upgrading the jdk from 1.3 to 1.4 solved the
problem (alas, not a practical option for me - I'm constrained by the
Production environment operating system, locked at FreeBSD v4.7 which can't
take jdk 1.4).
- Another observation (which I intend to investigate further today) was that
including some extra code in the web application worked around the problem.
Code snippet was:
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.ww
w.protocol");
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider())
These observations, coupled with things working as expected with newer
product versions, is beginning to suggest some version compatibility problem
with Tomcat 4.1 and jdk 1.3.
Finally, I tried switching the ports to their defaults of 80 and 443, and
running the Tomcat service under root. The problem remained the same.
server.xml snippet:
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
redirectPort="443" bufferSize="2048" serverSocketTimeout="0"
connectionUploadTimeout="300000" port="80" useBodyEncodingForURI="true"
tomcatAuthentication="true" scheme="http" connectionTimeout="20000"
enableLookups="true" secure="false"
protocolHandlerClassName="org.apache.coyote.http11.Http11Protocol" debug="0"
maxKeepAliveRequests="100" disableUploadTimeout="true" proxyPort="0"
tcpNoDelay="true" maxProcessors="75" minProcessors="5" acceptCount="100"
useURIValidationHack="false" compression="off" connectionLinger="-1">
<Factory
className="org.apache.catalina.net.DefaultServerSocketFactory"/>
</Connector>
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
redirectPort="443" bufferSize="2048" serverSocketTimeout="0"
connectionUploadTimeout="300000" port="8009" useBodyEncodingForURI="true"
tomcatAuthentication="true" scheme="http" connectionTimeout="0"
enableLookups="true" secure="false"
protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler" debug="0"
maxKeepAliveRequests="100" disableUploadTimeout="false" proxyPort="0"
tcpNoDelay="true" maxProcessors="75" minProcessors="5" acceptCount="10"
useURIValidationHack="false" compression="off" connectionLinger="-1">
<Factory
className="org.apache.catalina.net.DefaultServerSocketFactory"/>
</Connector>
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
redirectPort="443" bufferSize="2048" serverSocketTimeout="0"
connectionUploadTimeout="300000" port="443" useBodyEncodingForURI="true"
tomcatAuthentication="true" scheme="https" connectionTimeout="60000"
enableLookups="true" secure="true"
protocolHandlerClassName="org.apache.coyote.http11.Http11Protocol" debug="0"
maxKeepAliveRequests="100" disableUploadTimeout="true" proxyPort="0"
tcpNoDelay="true" maxProcessors="75" minProcessors="5" acceptCount="100"
useURIValidationHack="false" compression="off" connectionLinger="-1">
<Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
rootFile="/home/james/root.pem" keystoreType="JKS" keystorePass="changeit"
clientAuth="false" randomFile="/home/james/random.pem"
keystoreFile="/home/james/.keystore" sslProtocol="TLS"/>
</Connector>
web.xml snippet (example here is for a single page - I've also tried
url-patterns for directories, e.g. /pages/*):
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure</web-resource-name>
<url-pattern>/ssl_test2.html</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
-----Original Message-----
From: Mark Anderson [mailto:anderson@mitre.org]
Sent: 11 January 2005 02:12
To: Tomcat Users List
Subject: Re: Problem getting http redirected to https
Since it's not working right, it would help if you showed us what you did
when you "configured a security-constraint in web.xml for testPage.html".
did you do:
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
In CATALINA_HOME/conf/server.xml, you need to configure the HTTP conector
to redirect HTTPS to the HTTPS connector.
Do you have an HTTP connector configured in server.xml? There are examples
in the server.xml that shipped with Tomcat.
<Connector port="8080" redirectPort="8443" ... >
<Connector port="8443" scheme="https" secure="true" sslProtocol="TLS"
keystorePass="secreted" keystoreFile="/usr/tomcat/.keystore" ... />
- Mark
James_sys wrote:
> Hi,
>
> I've been wrestling with SSL on Tomcat for a while now. Hope you can offer
> some useful pointers.
>
> My problem is around getting http requests auto-redirected to return an
> https response.
>
> I can request https://exampleServer.com:8443/testPage.html and get an
> encrypted response.
>
> However, if I request http://exampleServer.com:8080/testPage.html I see an
> HTTP 500 "internal error" message. I was expecting the server to
internally
> redirect the request to https://... and return an encrypted response.
>
> I've configured a security-constraint in web.xml for testPage.html. I've
> checked the servlet and catalina logs but don't see any errors or
warnings.
>
> I'm working with Tomcat 4.1.30 on a FreeBSD v4.7 platform. I know these
are
> old versions, but I'm constrained by other dependencies in the Production
> environment.
>
> Apologies if this is a common problem - I have checked the archives but
> didn't find what I need.
>
> Thanks for any help.
>
> Regards,
>
> James.
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
--
Mark Anderson voice:703-883-6508
Networking & Distributed Systems Engineer fax :703-883-5864
The MITRE Corporation email:anderson@mitre.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Problem getting http redirected to https
Posted by James_sys <ja...@mysparekey.co.uk>.
Thanks, Mark - good point. I've attached relevant snippets from web.xml &
server.xml below.
I've also tried an equivalent configuration on Tomcat 5, jdk 1.4, Win 2k.
Interestingly, this worked fine.
My on-going quest for a solution under Tomcat 4.1, jdk 1.3, FreeBSD 4.7
threw up a couple of interesting comments from people on other groups:
- One observation was that upgrading the jdk from 1.3 to 1.4 solved the
problem (alas, not a practical option for me - I'm constrained by the
Production environment operating system, locked at FreeBSD v4.7 which can't
take jdk 1.4).
- Another observation (which I intend to investigate further today) was that
including some extra code in the web application worked around the problem.
Code snippet was:
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.ww
w.protocol");
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider())
These observations, coupled with things working as expected with newer
product versions, is beginning to suggest some version compatibility problem
with Tomcat 4.1 and jdk 1.3.
Finally, I tried switching the ports to their defaults of 80 and 443, and
running the Tomcat service under root. The problem remained the same.
server.xml snippet:
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
redirectPort="443" bufferSize="2048" serverSocketTimeout="0"
connectionUploadTimeout="300000" port="80" useBodyEncodingForURI="true"
tomcatAuthentication="true" scheme="http" connectionTimeout="20000"
enableLookups="true" secure="false"
protocolHandlerClassName="org.apache.coyote.http11.Http11Protocol" debug="0"
maxKeepAliveRequests="100" disableUploadTimeout="true" proxyPort="0"
tcpNoDelay="true" maxProcessors="75" minProcessors="5" acceptCount="100"
useURIValidationHack="false" compression="off" connectionLinger="-1">
<Factory
className="org.apache.catalina.net.DefaultServerSocketFactory"/>
</Connector>
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
redirectPort="443" bufferSize="2048" serverSocketTimeout="0"
connectionUploadTimeout="300000" port="8009" useBodyEncodingForURI="true"
tomcatAuthentication="true" scheme="http" connectionTimeout="0"
enableLookups="true" secure="false"
protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler" debug="0"
maxKeepAliveRequests="100" disableUploadTimeout="false" proxyPort="0"
tcpNoDelay="true" maxProcessors="75" minProcessors="5" acceptCount="10"
useURIValidationHack="false" compression="off" connectionLinger="-1">
<Factory
className="org.apache.catalina.net.DefaultServerSocketFactory"/>
</Connector>
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
redirectPort="443" bufferSize="2048" serverSocketTimeout="0"
connectionUploadTimeout="300000" port="443" useBodyEncodingForURI="true"
tomcatAuthentication="true" scheme="https" connectionTimeout="60000"
enableLookups="true" secure="true"
protocolHandlerClassName="org.apache.coyote.http11.Http11Protocol" debug="0"
maxKeepAliveRequests="100" disableUploadTimeout="true" proxyPort="0"
tcpNoDelay="true" maxProcessors="75" minProcessors="5" acceptCount="100"
useURIValidationHack="false" compression="off" connectionLinger="-1">
<Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
rootFile="/home/james/root.pem" keystoreType="JKS" keystorePass="changeit"
clientAuth="false" randomFile="/home/james/random.pem"
keystoreFile="/home/james/.keystore" sslProtocol="TLS"/>
</Connector>
web.xml snippet (example here is for a single page - I've also tried
url-patterns for directories, e.g. /pages/*):
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure</web-resource-name>
<url-pattern>/ssl_test2.html</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
-----Original Message-----
From: Mark Anderson [mailto:anderson@mitre.org]
Sent: 11 January 2005 02:12
To: Tomcat Users List
Subject: Re: Problem getting http redirected to https
Since it's not working right, it would help if you showed us what you did
when you "configured a security-constraint in web.xml for testPage.html".
did you do:
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
In CATALINA_HOME/conf/server.xml, you need to configure the HTTP conector
to redirect HTTPS to the HTTPS connector.
Do you have an HTTP connector configured in server.xml? There are examples
in the server.xml that shipped with Tomcat.
<Connector port="8080" redirectPort="8443" ... >
<Connector port="8443" scheme="https" secure="true" sslProtocol="TLS"
keystorePass="secreted" keystoreFile="/usr/tomcat/.keystore" ... />
- Mark
James_sys wrote:
> Hi,
>
> I've been wrestling with SSL on Tomcat for a while now. Hope you can offer
> some useful pointers.
>
> My problem is around getting http requests auto-redirected to return an
> https response.
>
> I can request https://exampleServer.com:8443/testPage.html and get an
> encrypted response.
>
> However, if I request http://exampleServer.com:8080/testPage.html I see an
> HTTP 500 "internal error" message. I was expecting the server to
internally
> redirect the request to https://... and return an encrypted response.
>
> I've configured a security-constraint in web.xml for testPage.html. I've
> checked the servlet and catalina logs but don't see any errors or
warnings.
>
> I'm working with Tomcat 4.1.30 on a FreeBSD v4.7 platform. I know these
are
> old versions, but I'm constrained by other dependencies in the Production
> environment.
>
> Apologies if this is a common problem - I have checked the archives but
> didn't find what I need.
>
> Thanks for any help.
>
> Regards,
>
> James.
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
--
Mark Anderson voice:703-883-6508
Networking & Distributed Systems Engineer fax :703-883-5864
The MITRE Corporation email:anderson@mitre.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Problem getting http redirected to https
Posted by Mark Anderson <an...@mitre.org>.
Since it's not working right, it would help if you showed us what you did
when you "configured a security-constraint in web.xml for testPage.html".
did you do:
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
In CATALINA_HOME/conf/server.xml, you need to configure the HTTP conector
to redirect HTTPS to the HTTPS connector.
Do you have an HTTP connector configured in server.xml? There are examples
in the server.xml that shipped with Tomcat.
<Connector port="8080" redirectPort="8443" ... >
<Connector port="8443" scheme="https" secure="true" sslProtocol="TLS"
keystorePass="secreted" keystoreFile="/usr/tomcat/.keystore" ... />
- Mark
James_sys wrote:
> Hi,
>
> I've been wrestling with SSL on Tomcat for a while now. Hope you can offer
> some useful pointers.
>
> My problem is around getting http requests auto-redirected to return an
> https response.
>
> I can request https://exampleServer.com:8443/testPage.html and get an
> encrypted response.
>
> However, if I request http://exampleServer.com:8080/testPage.html I see an
> HTTP 500 "internal error" message. I was expecting the server to internally
> redirect the request to https://... and return an encrypted response.
>
> I've configured a security-constraint in web.xml for testPage.html. I've
> checked the servlet and catalina logs but don't see any errors or warnings.
>
> I'm working with Tomcat 4.1.30 on a FreeBSD v4.7 platform. I know these are
> old versions, but I'm constrained by other dependencies in the Production
> environment.
>
> Apologies if this is a common problem - I have checked the archives but
> didn't find what I need.
>
> Thanks for any help.
>
> Regards,
>
> James.
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
--
Mark Anderson voice:703-883-6508
Networking & Distributed Systems Engineer fax :703-883-5864
The MITRE Corporation email:anderson@mitre.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Problem getting http redirected to https
Posted by Mark Anderson <an...@mitre.org>.
James,
When I replied, I failed to notice that you are running tomcat 4.1. I've
never used 4.1 so I don't know if it used the same connector configuration
syntax. But, I'm guessing that you need to tell the HTTP connector to
redirect to the HTTPS connector.
- Mark
James_sys wrote:
> Hi,
>
> I've been wrestling with SSL on Tomcat for a while now. Hope you can offer
> some useful pointers.
>
> My problem is around getting http requests auto-redirected to return an
> https response.
>
> I can request https://exampleServer.com:8443/testPage.html and get an
> encrypted response.
>
> However, if I request http://exampleServer.com:8080/testPage.html I see an
> HTTP 500 "internal error" message. I was expecting the server to internally
> redirect the request to https://... and return an encrypted response.
>
> I've configured a security-constraint in web.xml for testPage.html. I've
> checked the servlet and catalina logs but don't see any errors or warnings.
>
> I'm working with Tomcat 4.1.30 on a FreeBSD v4.7 platform. I know these are
> old versions, but I'm constrained by other dependencies in the Production
> environment.
>
> Apologies if this is a common problem - I have checked the archives but
> didn't find what I need.
>
> Thanks for any help.
>
> Regards,
>
> James.
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
--
Mark Anderson voice:703-883-6508
Networking & Distributed Systems Engineer fax :703-883-5864
The MITRE Corporation email:anderson@mitre.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org