You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Bruce Edge <br...@gmail.com> on 2009/06/17 16:32:17 UTC
Mix http and https on one tomcat server?
Is it possible to deploy both http and https on the same tomcat instance?
I'd like to expose https to the external IP addr and http to 127.0.0.1.
How is this configured in the xerver.xml file?
I'm using apache cxf if that matters.
Thanks
-Bruce
P.S. Apologies if this is a resend, I have just joined and I'm not sure if
my first post got through.
Re: Mix http and https on one tomcat server?
Posted by André Warnier <aw...@ice-sa.com>.
André Warnier wrote:
> Bruce Edge wrote:
> ...
>>
Since I don't really feel like doing what I should really be doing
tonight, let me elaborate a bit.
The Request comes "into" your webapp, and first hits the filter.
The filter checks if the IP origin of the request is 127.0.0.1.
If it is, it "authenticates" the request with some pre-defined user/role
(*). If it's from somewhere else, it doesn't.
Next, the request filters down to your webapp.
The security environment around your webapp (Tomcat's doing, according
to your setup) checks if the request is authenticated. If it is, it
goes through to your webapp. If not, it is intercepted by the normal
authentication mechanism.
Now the (*) bit, I'll leave to the experts, because I don't really have
a clue how to write something like that. All I know is that there must
be some UserPrincipal kind of object involved there.
But I think that the urlrewritefilter also can do the dirty stuff for
you there.
I'll go check, cause I'm also interested.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Mix http and https on one tomcat server?
Posted by André Warnier <aw...@ice-sa.com>.
Bruce Edge wrote:
> Securityfilter seems like overkill. I'd like to try the custom Valve first.
>
> Any idea how I can get at the Role from the Valve invoke method?
Sorry, that's beyond my league. But persist a little, there's a a lot
here who could tell you.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Mix http and https on one tomcat server?
Posted by Bruce Edge <br...@gmail.com>.
Securityfilter seems like overkill. I'd like to try the custom Valve first.
Any idea how I can get at the Role from the Valve invoke method?
public void invoke(Request arg0, Response arg1) throws IOException,
ServletException {
Can I drill down into the Request and find the role?
-Bruce
On Thu, Jun 18, 2009 at 2:33 PM, André Warnier <aw...@ice-sa.com> wrote:
> Bruce Edge wrote:
>
>>
>>> André,
>> thanks for your help.
>>
>
> Well actually, forget all I said, it turns out that it was mostly nonsense.
> The problem is, that if you use the container (Tomcat) based
> authentication, then the authentication will happen anyway, before it even
> gets to the servlet filter.
>
> So it is really a <Valve> which you need.
> A <Valve> "happens" at an earlier stage, before the webapp (and filters)
> are involved, so that would be early enough.
>
> Or else, you have to go for .. well yes, a servlet filter which does
> authentication (instead of the normal Tomcat auth stuff).
> There is something like that called SecurityFilter.
> (Here : http://securityfilter.sourceforge.net/)
>
> Don't let this put you down though. Doing authentication via a filter like
> SecurityFilter is a lot more flexible than with the embedded container
> method.
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Mix http and https on one tomcat server?
Posted by André Warnier <aw...@ice-sa.com>.
Bruce Edge wrote:
>>
> André,
> thanks for your help.
Well actually, forget all I said, it turns out that it was mostly
nonsense. The problem is, that if you use the container (Tomcat) based
authentication, then the authentication will happen anyway, before it
even gets to the servlet filter.
So it is really a <Valve> which you need.
A <Valve> "happens" at an earlier stage, before the webapp (and filters)
are involved, so that would be early enough.
Or else, you have to go for .. well yes, a servlet filter which does
authentication (instead of the normal Tomcat auth stuff).
There is something like that called SecurityFilter.
(Here : http://securityfilter.sourceforge.net/)
Don't let this put you down though. Doing authentication via a filter
like SecurityFilter is a lot more flexible than with the embedded
container method.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Mix http and https on one tomcat server?
Posted by Bruce Edge <br...@gmail.com>.
On Thu, Jun 18, 2009 at 2:10 PM, André Warnier <aw...@ice-sa.com> wrote:
> André Warnier wrote:
>
> Ooops. I forgot to add this : in the /thewebapp-internal, you should also
> have a filter, this time which /blocks/ the request if it does /not/ come
> from 127.0.0.1. Otherwise people not from 127.0.0.1 would be able to hit it
> directly, just by knowing the /thewebapp-internal URL.
>
André,
thanks for your help.If I deploy the app twice, would I not need to provide
a different deployment url for the 2nd instance?
In which case I could direct the internal clients to this unprotected url
directly without using a filter.
I'd like to not have 2 copies of the app running as there is global state in
there that I would have to sync between instances.
Can I write a custom valve that does this by alters the role ?
Would this be a matter of defining a new class, say
org.apache.catalina.valves.ValveMine and bundling it with the war, or would
it need to go in a jar in CATALINA_HOME/libs?
All I need to know then is how to change the role within the Valve.
-Bruce
Re: Mix http and https on one tomcat server?
Posted by André Warnier <aw...@ice-sa.com>.
André Warnier wrote:
Ooops. I forgot to add this : in the /thewebapp-internal, you should
also have a filter, this time which /blocks/ the request if it does
/not/ come from 127.0.0.1. Otherwise people not from 127.0.0.1 would be
able to hit it directly, just by knowing the /thewebapp-internal URL.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Mix http and https on one tomcat server?
Posted by André Warnier <aw...@ice-sa.com>.
André Warnier wrote:
and he's back.
Browsing the documentation of urlrewritefilter, at
http://tuckey.org/urlrewrite/manual/2.6/
In the <condition> element, one of the conditions is :
remote-addr The IP address of the host making the request, e.g.
123.123.123.12 i.e. request.getRemoteAddr()
So you can definitely test on 127.0.0.1
You can also, subsequent to this test, re-direct the request somewhere
else (have not yet found the rule for that).
So one way to do what you want joins a previous suggestion of Chuck :
- duplicate your webapp
- have it set up once as
(tomcat_dir)/webapps/thewebapp
(with the authentication bit)
- and again as
(tomcat_dir)/webapps/thewebapp-internal
(the same, just omit the authentication section in web.xml)
Then, set up urlrewritefilter so :
- if the request to /thewebapp comes from 127.0.0.1, re-direct it
(internally) to /thewebapp-internal
- otherwise, don't do anything (and it will hit the normal
authentication of /thewebapp
Inconvenient : requests that go through /theweapp-internal have /no/
authentication. If your webapp really needs one (internally), then you
have a problem. But if the authentication is merely to restrict access,
and the user-id is not used inside, then you're ok.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Mix http and https on one tomcat server?
Posted by André Warnier <aw...@ice-sa.com>.
Bruce Edge wrote:
...
>
> I can do this:
>
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow="127.*"/>
>
> but does that really do anything if I'm already accepting connections from
> 127.*?
>
You're right (and perceptive). /That/ Valve does not help.
Chuck meant that you'd need to write one.
Which for him I'm sure is a piece of cake. ;-)
>
> What do you mean by a filter?
>
The first 3 paragraphs of this :
http://java.sun.com/products/servlet/Filters.html
are a quick intro.
See it like this (very simplified of course)
a) without a filter
Client -> Request -> your webapp -> Response -> Client
b) with a filter
Client -> Request -> filter(a) -> Request -> your webapp -> Response ->
filter(b) -> Response -> Client
filter(a) and filter(b) are actually contained in the same piece of
software. It is a kind of "wrapper" that "wraps" your webapp. It sees
all that comes in before your webapp does (and can modify it), and sees
everything that comes out of your webapp (and can modify it before the
Client sees it).
It's very neat, because you do not need to modify your webapp in any
way, and it does not even know that it is being wrapped.
It's even rather simple to write, since even I could do it.
For a (very useful) example of a filter, see here :
http://tuckey.org/urlrewrite/
which may or may not be what you need in this case
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Mix http and https on one tomcat server?
Posted by Bruce Edge <br...@gmail.com>.
On Wed, Jun 17, 2009 at 9:37 AM, Caldarale, Charles R <
Chuck.Caldarale@unisys.com> wrote:
> > From: Bruce Edge [mailto:bruce.edge@gmail.com]
> > Subject: Re: Mix http and https on one tomcat server?
>
<...snip...>
>
> > but can it be setup to _not_ require a password for localhost access?
>
> Not without some additional configuration. Don't try to do this at the
> <Connector> level - it's unlikely that you'll ever be able to get it to
> work. Instead, use a filter or <Valve> to check the client's IP address,
> and set the role in the Session object if it's localhost.
>
How do I set the role in a valve?
I can do this:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127.*"/>
but does that really do anything if I'm already accepting connections from
127.*?
What do you mean by a filter?
Sorry, I'm really new at this. I'm a C++/gSOAP web services guy whose in the
middle of a toolset change :-)
-Bruce
>
> > In short, I want:
> > localhost - no auth, no ssl
> > external - passwd auth and ssl
>
> I suspect you're going to have to use SSL for any protected webapp,
> regardless of the client's IP address.
>
> You might want to look at http://securityfilter.sourceforge.net/ to see if
> it will do more of what you want.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: Mix http and https on one tomcat server?
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Bruce Edge [mailto:bruce.edge@gmail.com]
> Subject: Re: Mix http and https on one tomcat server?
>
> I assume that I need a different connector for each, so I changed the
> 8080 redirector in server.xml:
Put it back the way it was; the redirectPort attribute is required so a switch to HTTPS can occur when needed.
> However, I don't see where I designate the difference between a local
> address, 127.0.0.1, and an external address.
You normally don't need to. Tomcat listens on all available IP addresses, including 127.0.0.1. If you want to restrict a particular connector to just 127.0.0.1, use the address attribute.
> <url-pattern>/*</url-pattern> <- Is this what needs to
> refer to the internal vs. external address?
No, the <url-pattern> is relative to the webapp.
> but can it be setup to _not_ require a password for localhost access?
Not without some additional configuration. Don't try to do this at the <Connector> level - it's unlikely that you'll ever be able to get it to work. Instead, use a filter or <Valve> to check the client's IP address, and set the role in the Session object if it's localhost.
> In short, I want:
> localhost - no auth, no ssl
> external - passwd auth and ssl
I suspect you're going to have to use SSL for any protected webapp, regardless of the client's IP address.
You might want to look at http://securityfilter.sourceforge.net/ to see if it will do more of what you want.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Mix http and https on one tomcat server?
Posted by Bruce Edge <br...@gmail.com>.
On Wed, Jun 17, 2009 at 8:39 AM, Caldarale, Charles R <
Chuck.Caldarale@unisys.com> wrote:
> > From: Bruce Edge [mailto:bruce.edge@gmail.com]
> > Subject: Mix http and https on one tomcat server?
> >
> > Is it possible to deploy both http and https on the same
> > tomcat instance?
>
> Of course.
>
> Read the doc:
> http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL%20Support
>
> - Chuck
>
I assume that I need a different connector for each, so I changed the 8080
redirector in server.xml:
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000"
redirectPort="8443"/>
to:
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000"/>
My ssl connector is:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="servIdentity.jks" clientAuth="false" sslProtocol="TLS"/>
However, I don't see where I designate the difference between a local
address, 127.0.0.1, and an external address.
I've defined 2 <security-constraint> blocks in web.xml:
<security-constraint>
....
<url-pattern>/*</url-pattern> <- Is this what needs to refer to
the internal vs. external address? <url-pattern>127.0.0.1:8080/*</url-pattern>
?
....
</security-constraint>
I also have 2 roles setup in tomcat-users.xml which are referenced by the
above 2 <security-constraint> blocks.
I have this in web.xml for the ssl passwd:
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
but can it be setup to _not_ require a password for localhost access? Where
do I make this role specific?
In short, I want:
localhost - no auth, no ssl
external - passwd auth and ssl
I can get one or the other but not both at the same time.
-Bruce
RE: Mix http and https on one tomcat server?
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Bruce Edge [mailto:bruce.edge@gmail.com]
> Subject: Mix http and https on one tomcat server?
>
> Is it possible to deploy both http and https on the same
> tomcat instance?
Of course.
Read the doc:
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL%20Support
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org