You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Janet Preston <JP...@stjohns.ca> on 2011/10/14 22:09:50 UTC
Help with mixed SSL and non-SSL pages in Tomcat 7.0
Hi,
I have a web site with a login page that has to be accessed using SSL so
that the password is not sent as clear text. The rest of the site is
non-SSL. My configuration worked with this combination: Tomcat 5.5.27;
Apache 2.0.58; JAVA 1.5.0_13 and, mod_jk (I'm not sure what version of
mod_jk but it's old). After upgrading to Tomcat 7.0.22; Apache 2.2.21;
JAVA 1.6.0_23; and tomcat jk connector version 1.2.32 I find my
application doesn't work the same. The problem is I never get past the
login page because whenever a redirect from port 8443 to port 8080 occurs
I get bumped back to the log in page. I can use the application if I stay
totally within SSL and I can use the application totally without SSL so I
think this is a configuration issue, I just don't know what needs to
change. I read the tomcat 7 SSL Configuration How-to and it says it's
"customary to only run certain pages under SSL" but I'm missing something
or have used a hole in the past that has now been plugged.
My web.xml is configured as follows:
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>App Security</display-name>
<web-resource-collection>
<web-resource-name>App Security</web-resource-name>
<description></description>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.do</url-pattern>
<url-pattern>*.html</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>person</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerr.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>All users who can login should be able to use this
application</description>
<role-name>person</role-name>
</security-role>
I created a certificate using the Java keystore and updated tomcat
server.xml
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/security/.keystore"
keystorePass="appcertkey" keyAlias="keyalias"/>
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Index.html redirects the user from https to http.
Any suggestions would be appreciated.
Regards,
Janet
Re: Help with mixed SSL and non-SSL pages in Tomcat 7.0
Posted by Pid <pi...@pidster.com>.
On 14/10/2011 21:09, Janet Preston wrote:
> I have a web site with a login page that has to be accessed using SSL so
> that the password is not sent as clear text.
That's good.
> The rest of the site is non-SSL.
Oh. Why not?
p
Re: Help with mixed SSL and non-SSL pages in Tomcat 7.0
Posted by Mark Thomas <ma...@apache.org>.
On 14/10/2011 21:09, Janet Preston wrote:
> Hi,
>
> I have a web site with a login page that has to be accessed using SSL so
> that the password is not sent as clear text. The rest of the site is
> non-SSL.
So the password is worth protecting but the session ID is not? The
session ID is as good as the password for most nefarious purposes.
> My web.xml is configured as follows:
> <welcome-file-list>
> <welcome-file>index.html</welcome-file>
> </welcome-file-list>
> <security-constraint>
> <display-name>App Security</display-name>
> <web-resource-collection>
> <web-resource-name>App Security</web-resource-name>
> <description></description>
> <url-pattern>*.jsp</url-pattern>
> <url-pattern>*.do</url-pattern>
> <url-pattern>*.html</url-pattern>
> <http-method>GET</http-method>
> <http-method>PUT</http-method>
> <http-method>POST</http-method>
> <http-method>DELETE</http-method>
> </web-resource-collection>
Using any other HTTP method (e.g. HEAD) will bypass the security
constraints. I'd strongly recommend removing those methods from the
constraint.
> <auth-constraint>
> <description></description>
> <role-name>person</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>/login.jsp</form-login-page>
> <form-error-page>/loginerr.jsp</form-error-page>
> </form-login-config>
> </login-config>
I don't see anything that forces logins to be over SSL.
> <security-role>
> <description>All users who can login should be able to use this
> application</description>
> <role-name>person</role-name>
> </security-role>
>
> I created a certificate using the Java keystore and updated tomcat
> server.xml
> <Connector port="8080" protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="8443" />
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> keystoreFile="/security/.keystore"
> keystorePass="appcertkey" keyAlias="keyalias"/>
>
> <!-- Define an AJP 1.3 Connector on port 8009 -->
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>
> Index.html redirects the user from https to http.
Is that the only redirect in either direction?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org