You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mike Johnson <mi...@nosm.ca> on 2016/09/22 14:18:23 UTC
http to https all traffic not working
I'm clearly misunderstanding how to do this, but I can't seem to find
appropriate documentation to get me to my goal.
My goal is to have any http request directed to the https equivilant.
On Tomcat 6, I was able to get it working, but something in my config is
different, or tomcat 8 has changed slightly enough that what I was doing on
6 doesn't work on 8.
I'm assuming it's the first, so digging through and comparing all my
config. While I do that, I'm hoping a message here may point me in the
right direction.
I've setup my 80 connector to redirect like so:
<Connector port="80"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
I've setup my 443 connector like so:
<Connector port="443"
maxThreads="1024" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="101" debug="0"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
sslProtocols="TLSv1,TLSv1.1,TLSv1.2"
keystoreFile="my.pfx"
keystoreType="pkcs12"
keystorePass="passw0rd"
/>
I've also included the security constraint in my web.xml like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you requre authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I googled "http to https tomcat 8" and reviewed the top 10, and I can't
find anything different from the above either.
Any help would be appreciated. I am admittedly a hacker at this, and don't
fully understand all the various config files with tomcat yet...
Thanks!
Mike.
--
Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca
Re: http to https all traffic not working
Posted by Mark Thomas <ma...@apache.org>.
On 22 September 2016 16:57:50 BST, Mike Johnson <mi...@nosm.ca> wrote:
>The default web.xml that is in the conf directory on a Windows install
>of
>tomcat.
And that is why you are seeing the behaviour you are. That is the default web.xml that is inherited by all webapps. There are complex rules for how to merge the default with the web.xml supplied by a webapp. The rules are based on the rules for merging web-fragment.xml files but I'd need to check the code for the details.
You see different behavior with the Manager app because it already had security contraints so the ones you add merge differently. To add to the fun there is another set of complex rules in the spec about how multiple constraints merge.
In 8.x you'll probably have better luck with the rewrite valve.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: http to https all traffic not working
Posted by Mike Johnson <mi...@nosm.ca>.
The default web.xml that is in the conf directory on a Windows install of
tomcat.
This is a snippet of the file when viewed through Notepad++.
I added the security contraint to the bottom of this file just before the
ending web-app tag.
I don't recall if this listserv frowns upon URL linking so if you google
"tomcat 8 http to https redirect", the first 3-4 links all say the exact
same thing as what I did to try and implement the http forwarding to https.
As I said in my previous email, it does work for the other web apps, but
the manager-gui seems to act odd. My other web apps do not use the same
type of authentication that the manager-gui does. This may be a red
herring, but that's why I posed the question to this listserv.
Thanks!
Mike.
On Thu, Sep 22, 2016 at 11:38 AM, Mark Thomas <ma...@apache.org> wrote:
> On 22 September 2016 15:43:47 BST, Mike Johnson <mi...@nosm.ca>
> wrote:
> >I did a little more testing and it seems that only the Tomcat
> >Manager/Server (a.k.a. the logged in areas) of the default Tomcat
> >install
> >is acting this way. This is perhaps why I thought it was working on
> >Tomcat
> >6.
> >
> >My web apps are working as I expected them to, redirecting all traffic
> >to
> >the appropriate https url.
> >
> >So, this may be a simpler question now: Can anyone explain to me what
> >is
> >happening in the Tomcat manager?
> >
> >Tomcat manager's user prompt seems to override the switch of protocol.
> >(go
> >to http://localhost/manager/html, never kicks me over to https)
> >
> >Also, once I'm logged into the manager app, if I remove the 's' on
> >https
> >and hit enter, it reprompts for a login, and let's me into http.
> >
> >If I continue on in the same session, I can actually use http with
> >443...
> >seemingly using both sessions I've created :P really messed up.
> >
> >Anyway, this isn't overly important as none of our admins will log into
> >manager remotely, so ssl into manager isn't required. It also seems to
> >work
> >fine with the webapp, which is the main goal.
> >
> >Thanks!
> >Mike.
> >
> >
> >
> >On Thu, Sep 22, 2016 at 10:18 AM, Mike Johnson <mi...@nosm.ca>
> >wrote:
> >
> >> I'm clearly misunderstanding how to do this, but I can't seem to find
> >> appropriate documentation to get me to my goal.
> >>
> >> My goal is to have any http request directed to the https equivilant.
> >>
> >> On Tomcat 6, I was able to get it working, but something in my config
> >is
> >> different, or tomcat 8 has changed slightly enough that what I was
> >doing on
> >> 6 doesn't work on 8.
> >>
> >> I'm assuming it's the first, so digging through and comparing all my
> >> config. While I do that, I'm hoping a message here may point me in
> >the
> >> right direction.
> >>
> >> I've setup my 80 connector to redirect like so:
> >>
> >> <Connector port="80"
> >> protocol="HTTP/1.1"
> >> connectionTimeout="20000"
> >> redirectPort="443" />
> >>
> >>
> >> I've setup my 443 connector like so:
> >> <Connector port="443"
> >> maxThreads="1024" minSpareThreads="25"
> >maxSpareThreads="75"
> >> enableLookups="false" disableUploadTimeout="true"
> >> acceptCount="101" debug="0"
> >> SSLEnabled="true"
> >> scheme="https"
> >> secure="true"
> >> clientAuth="false"
> >> sslProtocols="TLSv1,TLSv1.1,TLSv1.2"
> >> keystoreFile="my.pfx"
> >> keystoreType="pkcs12"
> >> keystorePass="passw0rd"
> >> />
> >>
> >>
> >> I've also included the security constraint in my web.xml like this:
> >> <security-constraint>
> >> <web-resource-collection>
> >> <web-resource-name>Protected Context</web-resource-name>
> >> <url-pattern>/*</url-pattern>
> >> </web-resource-collection>
> >> <!-- auth-constraint goes here if you requre authentication -->
> >> <user-data-constraint>
> >> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> >> </user-data-constraint>
> >> </security-constraint>
> >>
> >>
> >> I googled "http to https tomcat 8" and reviewed the top 10, and I
> >can't
> >> find anything different from the above either.
> >>
> >> Any help would be appreciated. I am admittedly a hacker at this, and
> >don't
> >> fully understand all the various config files with tomcat yet...
> >>
> >> Thanks!
> >> Mike.
> >>
> >> --
> >> Mike Johnson
> >> Datatel Programmer/Analyst
> >> Northern Ontario School of Medicine
> >> 955 Oliver Road
> >> Thunder Bay, ON P7B 5E1
> >> Phone: (807) 766-7331
> >> Email: mike.johnson@nosm.ca
> >>
>
> Exactly which web.xml file(s) did you edit?
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca
Re: http to https all traffic not working
Posted by Mark Thomas <ma...@apache.org>.
On 22 September 2016 15:43:47 BST, Mike Johnson <mi...@nosm.ca> wrote:
>I did a little more testing and it seems that only the Tomcat
>Manager/Server (a.k.a. the logged in areas) of the default Tomcat
>install
>is acting this way. This is perhaps why I thought it was working on
>Tomcat
>6.
>
>My web apps are working as I expected them to, redirecting all traffic
>to
>the appropriate https url.
>
>So, this may be a simpler question now: Can anyone explain to me what
>is
>happening in the Tomcat manager?
>
>Tomcat manager's user prompt seems to override the switch of protocol.
>(go
>to http://localhost/manager/html, never kicks me over to https)
>
>Also, once I'm logged into the manager app, if I remove the 's' on
>https
>and hit enter, it reprompts for a login, and let's me into http.
>
>If I continue on in the same session, I can actually use http with
>443...
>seemingly using both sessions I've created :P really messed up.
>
>Anyway, this isn't overly important as none of our admins will log into
>manager remotely, so ssl into manager isn't required. It also seems to
>work
>fine with the webapp, which is the main goal.
>
>Thanks!
>Mike.
>
>
>
>On Thu, Sep 22, 2016 at 10:18 AM, Mike Johnson <mi...@nosm.ca>
>wrote:
>
>> I'm clearly misunderstanding how to do this, but I can't seem to find
>> appropriate documentation to get me to my goal.
>>
>> My goal is to have any http request directed to the https equivilant.
>>
>> On Tomcat 6, I was able to get it working, but something in my config
>is
>> different, or tomcat 8 has changed slightly enough that what I was
>doing on
>> 6 doesn't work on 8.
>>
>> I'm assuming it's the first, so digging through and comparing all my
>> config. While I do that, I'm hoping a message here may point me in
>the
>> right direction.
>>
>> I've setup my 80 connector to redirect like so:
>>
>> <Connector port="80"
>> protocol="HTTP/1.1"
>> connectionTimeout="20000"
>> redirectPort="443" />
>>
>>
>> I've setup my 443 connector like so:
>> <Connector port="443"
>> maxThreads="1024" minSpareThreads="25"
>maxSpareThreads="75"
>> enableLookups="false" disableUploadTimeout="true"
>> acceptCount="101" debug="0"
>> SSLEnabled="true"
>> scheme="https"
>> secure="true"
>> clientAuth="false"
>> sslProtocols="TLSv1,TLSv1.1,TLSv1.2"
>> keystoreFile="my.pfx"
>> keystoreType="pkcs12"
>> keystorePass="passw0rd"
>> />
>>
>>
>> I've also included the security constraint in my web.xml like this:
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Protected Context</web-resource-name>
>> <url-pattern>/*</url-pattern>
>> </web-resource-collection>
>> <!-- auth-constraint goes here if you requre authentication -->
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint>
>> </security-constraint>
>>
>>
>> I googled "http to https tomcat 8" and reviewed the top 10, and I
>can't
>> find anything different from the above either.
>>
>> Any help would be appreciated. I am admittedly a hacker at this, and
>don't
>> fully understand all the various config files with tomcat yet...
>>
>> Thanks!
>> Mike.
>>
>> --
>> Mike Johnson
>> Datatel Programmer/Analyst
>> Northern Ontario School of Medicine
>> 955 Oliver Road
>> Thunder Bay, ON P7B 5E1
>> Phone: (807) 766-7331
>> Email: mike.johnson@nosm.ca
>>
Exactly which web.xml file(s) did you edit?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: http to https all traffic not working
Posted by Mike Johnson <mi...@nosm.ca>.
I did a little more testing and it seems that only the Tomcat
Manager/Server (a.k.a. the logged in areas) of the default Tomcat install
is acting this way. This is perhaps why I thought it was working on Tomcat
6.
My web apps are working as I expected them to, redirecting all traffic to
the appropriate https url.
So, this may be a simpler question now: Can anyone explain to me what is
happening in the Tomcat manager?
Tomcat manager's user prompt seems to override the switch of protocol. (go
to http://localhost/manager/html, never kicks me over to https)
Also, once I'm logged into the manager app, if I remove the 's' on https
and hit enter, it reprompts for a login, and let's me into http.
If I continue on in the same session, I can actually use http with 443...
seemingly using both sessions I've created :P really messed up.
Anyway, this isn't overly important as none of our admins will log into
manager remotely, so ssl into manager isn't required. It also seems to work
fine with the webapp, which is the main goal.
Thanks!
Mike.
On Thu, Sep 22, 2016 at 10:18 AM, Mike Johnson <mi...@nosm.ca> wrote:
> I'm clearly misunderstanding how to do this, but I can't seem to find
> appropriate documentation to get me to my goal.
>
> My goal is to have any http request directed to the https equivilant.
>
> On Tomcat 6, I was able to get it working, but something in my config is
> different, or tomcat 8 has changed slightly enough that what I was doing on
> 6 doesn't work on 8.
>
> I'm assuming it's the first, so digging through and comparing all my
> config. While I do that, I'm hoping a message here may point me in the
> right direction.
>
> I've setup my 80 connector to redirect like so:
>
> <Connector port="80"
> protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="443" />
>
>
> I've setup my 443 connector like so:
> <Connector port="443"
> maxThreads="1024" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" disableUploadTimeout="true"
> acceptCount="101" debug="0"
> SSLEnabled="true"
> scheme="https"
> secure="true"
> clientAuth="false"
> sslProtocols="TLSv1,TLSv1.1,TLSv1.2"
> keystoreFile="my.pfx"
> keystoreType="pkcs12"
> keystorePass="passw0rd"
> />
>
>
> I've also included the security constraint in my web.xml like this:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protected Context</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <!-- auth-constraint goes here if you requre authentication -->
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
>
> I googled "http to https tomcat 8" and reviewed the top 10, and I can't
> find anything different from the above either.
>
> Any help would be appreciated. I am admittedly a hacker at this, and don't
> fully understand all the various config files with tomcat yet...
>
> Thanks!
> Mike.
>
> --
> Mike Johnson
> Datatel Programmer/Analyst
> Northern Ontario School of Medicine
> 955 Oliver Road
> Thunder Bay, ON P7B 5E1
> Phone: (807) 766-7331
> Email: mike.johnson@nosm.ca
>
--
Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca