You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Robedan <dr...@cesco.net> on 2010/07/13 17:05:39 UTC
Problem redirecting http to https in Tomcat 4
I have an application that has a Web interface using an embeded Tomcat 4
Server. I need to make it available to users over the Internet and want to
secure it with SSL. It originally worked on port 8080 but I successfully
modified the SERVER.XML to make it work over port 80. I also sucessfully
created an SSL connector so that if you specify https://myserver.domain.com
you can access the app over SSL on port 443. The final piece of the puzzle
I've been struggling with is automatically redirecting http: requests to
https: All the Tomcat forums say this is pretty simple, all you need to do
is add a bit of code to either the server or app's web.xml:
Protected Context
/*
CONFIDENTIAL
When I enter this code and restart Tomcat, the app stops working on all
ports. I just get a '404' resource not found on the default page or any
other. I'm sure I'm missing something but I have no idea what. Are there Any
Tomcat gurus out there that can point me in the right direction?
--
View this message in context: http://old.nabble.com/Problem-redirecting-http-to-https-in-Tomcat-4-tp29151597p29151597.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
RE: Problem redirecting http to https in Tomcat 4
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Robedan [mailto:droberts@cesco.net]
> Subject: RE: Problem redirecting http to https in Tomcat 4
>
> I'm attachng a copy of ther web.xml taken from /tomcat/conf.
The list strips most attachments, so that didn't work. Sometimes .zip files come through, but it's usually easiest just to place the text inline in a post, and make sure your e-mail client is sending plain text, not HTML or RTF.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem redirecting http to https in Tomcat 4
Posted by Pid <pi...@pidster.com>.
On 13/07/2010 21:36, Caldarale, Charles R wrote:
... since Tomcat 4 is before my time ...
>
> - Chuck
:o
p
RE: Problem redirecting http to https in Tomcat 4
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Robedan [mailto:droberts@cesco.net]
> Subject: RE: Problem redirecting http to https in Tomcat 4
>
> Whoops, forgot to attach the web.xml. Here it is...
> http://old.nabble.com/file/p29155093/web.xml web.xml
I copied & pasted your <security-constraint> section into the conf/web.xml file of a supported version of Tomcat (6.0.26), and everything is redirected to the SSL port, as expected. That's about as far as I can take this, since Tomcat 4 is before my time (and I have no interest in learning it).
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Problem redirecting http to https in Tomcat 4
Posted by Robedan <dr...@cesco.net>.
Whoops, forgot to attach the web.xml. Here it is...
http://old.nabble.com/file/p29155093/web.xml web.xml
--
View this message in context: http://old.nabble.com/Problem-redirecting-http-to-https-in-Tomcat-4-tp29151597p29155093.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Problem redirecting http to https in Tomcat 4
Posted by Robedan <dr...@cesco.net>.
Thanks for the reply. In answer to your questions:
No longer supported. You really should upgrade.
Not an option here. Tomcat 4 comes embedded with the app. Upgrading may
affect the app negatively, or in a way the vendor won't support. Gonna have
to live with it for now.
If that's what you actually put in, it's complete junk. Care to tell us
what you really tried (after reading the servlet spec), and where you tried
it?
That is indeed junk, and not what I put in. The mailing list posting process
screwed something up, sorry about that. I'm attachng a copy of ther web.xml
taken from /tomcat/conf. The inserted code snippet is at the end of the
file, before the closing </web-app>. I also tried inserting the snippet in
the app's web.xml with the same results. The snippet creates a CONFIDENTIAL
transport-guarantee element and can be found on many Tomcat forums,
including this one, but you can look at
http://forums.sun.com/thread.jspa?threadID=197150 to see what I'm talking
about. I was looking for something that would not modify the app too much
and could be easily reversed in case of a problem, but it doesn't seem to be
working for me.
Thanks again for taking the time to reply.
--
View this message in context: http://old.nabble.com/Problem-redirecting-http-to-https-in-Tomcat-4-tp29151597p29155023.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Problem redirecting http to https in Tomcat 4
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Robedan [mailto:droberts@cesco.net]
> Subject: Problem redirecting http to https in Tomcat 4
>
> I have an application that has a Web interface using an
> embeded Tomcat 4 Server.
No longer supported. You really should upgrade.
> The final piece of the puzzle I've been struggling with
> is automatically redirecting http: requests to https:
Read the servlet spec. Real doc beats forums and mailing lists (even this one) every day.
> all you need to do is add a bit of code to either the
> server or app's web.xml:
> Protected Context
> /*
> CONFIDENTIAL
If that's what you actually put in, it's complete junk. Care to tell us what you really tried (after reading the servlet spec), and where you tried it?
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem redirecting http to https in Tomcat 4
Posted by Bill Barker <bi...@verizon.net>.
Tomcat 4.x is well know to have problems with this when using a non-default
SSL port with MSIE. However, it usually works ok with the default SSL port.
I would check that you have the correct redirectPort defined in the
<Connector ... /> for the non-SSL connector.
"Robedan" <dr...@cesco.net> wrote in message
news:29151597.post@talk.nabble.com...
>
> I have an application that has a Web interface using an embeded Tomcat 4
> Server. I need to make it available to users over the Internet and want to
> secure it with SSL. It originally worked on port 8080 but I successfully
> modified the SERVER.XML to make it work over port 80. I also sucessfully
> created an SSL connector so that if you specify
> https://myserver.domain.com
> you can access the app over SSL on port 443. The final piece of the puzzle
> I've been struggling with is automatically redirecting http: requests to
> https: All the Tomcat forums say this is pretty simple, all you need to do
> is add a bit of code to either the server or app's web.xml:
>
>
>
>
>
> Protected Context
>
> /*
>
>
>
>
>
> CONFIDENTIAL
>
>
>
>
>
> When I enter this code and restart Tomcat, the app stops working on all
> ports. I just get a '404' resource not found on the default page or any
> other. I'm sure I'm missing something but I have no idea what. Are there
> Any
> Tomcat gurus out there that can point me in the right direction?
>
> --
> View this message in context:
> http://old.nabble.com/Problem-redirecting-http-to-https-in-Tomcat-4-tp29151597p29151597.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem redirecting http to https in Tomcat 4
Posted by David Fisher <df...@jmlafferty.com>.
Robedan,
I recall that we started doing the following in Tomcat 4.1:
In the webapps WEB-INF/web.xml we inserted the following right before </web-app>:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This forced http:// requests to be https:// for that webapps.
I hope it works for you
Regards,
Dave
On Jul 14, 2010, at 11:02 AM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Robedan,
>
> On 7/14/2010 1:29 PM, Robedan wrote:
>>> Can you post all
>>> active <Connector> elements from your conf/server.xml file?
>>
>> Attached.
>
> [inlined here:]
>
>> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
>> port="80" minProcessors="5" maxProcessors="75" enableLookups="true"
>> redirectPort="443" acceptCount="100" debug="0"
>> connectionTimeout="20000" useURIValidationHack="false"
>> disableUploadTimeout="true"/>
>
> Okay, that's a standard HTTP connector. If the webapp demands a
> transport-guarantee of CONFIDENTIAL or INTEGRAL, the connection should
> be automatically upgraded by Tomcat by sending the client a redirect to
> the same URL but with https:// and the redirectPort set above. So, if
> you request http://host/myapp/foo.jsp, then Tomcat should redirect to
> https://host/myapp/foo.jsp given the above configuration (use of the
> default redirectPort of 443 does not result in :443 being added to the
> end of the host portion, since it's the default).
>
> The above plus the <transport-guarantee> should be all you need. What is
> your experience when you use these two settings together?
>
>> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
>> port="443" minProcessors="5" maxProcessors="75" enableLookups="true"
>> acceptCount="100" debug="0" scheme="https" secure="true"
>> useURIValidationHack="false" disableUploadTimeout="true">
>> [...]
>> </Connector>
>
> Technically, the configuration of the HTTPS connector is not relevant:
> Tomcat won't ever "downgrade" your connection for you.
>
>>> The web.xml file should be in
>>> your webapp's deployment directory under WEB-INF/web.xml.
>>
>> I've tried it there, but with the same results.
>
> What were those results? Give us an example of a URL that should
> redirect to a secure URL. Can you use wget or something similar to show
> what the server interaction is?
>
>> This is the only application that will ever be on this server, so
>> either should work, yes?
>
> Yes, either should work, but there's no reason to be sloppy, is there?
>
>>> Your vendor needs to get with the program and
>>> start supporting a version of Tomcat that was written in the last 5 years.
>>
>> Amen! I may end up trying what you did, but I'm not familiar with Tomcat yet.
>> I'm a quick study though...
>
> Is this a custom webapp that your company owns, or is this something
> you've bought from someone else, and they refuse to support a newer
> version of Tomcat? I would imagine that security and performance would
> be goals worthy of their attention. Maybe they already have your money,
> though ;)
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkw9+7QACgkQ9CaO5/Lv0PCN5wCggQeCkCZRUwbNg8zsKcXvRzPt
> HAkAoIJz9mXkxJn3q9oXGQ5iTa25+weH
> =6NBV
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem redirecting http to https in Tomcat 4
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Robedan,
On 7/14/2010 1:29 PM, Robedan wrote:
>> Can you post all
>> active <Connector> elements from your conf/server.xml file?
>
> Attached.
[inlined here:]
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="80" minProcessors="5" maxProcessors="75" enableLookups="true"
> redirectPort="443" acceptCount="100" debug="0"
> connectionTimeout="20000" useURIValidationHack="false"
> disableUploadTimeout="true"/>
Okay, that's a standard HTTP connector. If the webapp demands a
transport-guarantee of CONFIDENTIAL or INTEGRAL, the connection should
be automatically upgraded by Tomcat by sending the client a redirect to
the same URL but with https:// and the redirectPort set above. So, if
you request http://host/myapp/foo.jsp, then Tomcat should redirect to
https://host/myapp/foo.jsp given the above configuration (use of the
default redirectPort of 443 does not result in :443 being added to the
end of the host portion, since it's the default).
The above plus the <transport-guarantee> should be all you need. What is
your experience when you use these two settings together?
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="443" minProcessors="5" maxProcessors="75" enableLookups="true"
> acceptCount="100" debug="0" scheme="https" secure="true"
> useURIValidationHack="false" disableUploadTimeout="true">
> [...]
> </Connector>
Technically, the configuration of the HTTPS connector is not relevant:
Tomcat won't ever "downgrade" your connection for you.
>> The web.xml file should be in
>> your webapp's deployment directory under WEB-INF/web.xml.
>
> I've tried it there, but with the same results.
What were those results? Give us an example of a URL that should
redirect to a secure URL. Can you use wget or something similar to show
what the server interaction is?
> This is the only application that will ever be on this server, so
> either should work, yes?
Yes, either should work, but there's no reason to be sloppy, is there?
>> Your vendor needs to get with the program and
>> start supporting a version of Tomcat that was written in the last 5 years.
>
> Amen! I may end up trying what you did, but I'm not familiar with Tomcat yet.
> I'm a quick study though...
Is this a custom webapp that your company owns, or is this something
you've bought from someone else, and they refuse to support a newer
version of Tomcat? I would imagine that security and performance would
be goals worthy of their attention. Maybe they already have your money,
though ;)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkw9+7QACgkQ9CaO5/Lv0PCN5wCggQeCkCZRUwbNg8zsKcXvRzPt
HAkAoIJz9mXkxJn3q9oXGQ5iTa25+weH
=6NBV
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem redirecting http to https in Tomcat 4
Posted by Robedan <dr...@cesco.net>.
Can you post all
active <Connector> elements from your conf/server.xml file?
Attached.
The web.xml file should be in
your webapp's deployment directory under WEB-INF/web.xml.
I've tried it there, but with the same results. This is the only application
that will ever be on this server, so either should work, yes?
Your vendor needs to get with the program and
start supporting a version of Tomcat that was written in the last 5 years.
Amen! I may end up trying what you did, but I'm not familar with Tomcat yet.
I'm a quick study though...
http://old.nabble.com/file/p29164626/server.xml server.xml
--
View this message in context: http://old.nabble.com/Problem-redirecting-http-to-https-in-Tomcat-4-tp29151597p29164626.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem redirecting http to https in Tomcat 4
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Robedan,
On 7/13/2010 11:05 AM, Robedan wrote:
> I have an application that has a Web interface using an embeded Tomcat 4
> Server. I need to make it available to users over the Internet and want to
> secure it with SSL. It originally worked on port 8080 but I successfully
> modified the SERVER.XML to make it work over port 80. I also sucessfully
> created an SSL connector so that if you specify https://myserver.domain.com
> you can access the app over SSL on port 443. The final piece of the puzzle
> I've been struggling with is automatically redirecting http: requests to
> https: All the Tomcat forums say this is pretty simple, all you need to do
> is add a bit of code to either the server or app's web.xml:
That should be all you need (the CONFIDENTIAL bit). Can you post all
active <Connector> elements from your conf/server.xml file?
Your <transport-guarantee> looks good, although you mentioned that it
was your conf/web.xml, which is all wrong. The web.xml file should be in
your webapp's deployment directory under WEB-INF/web.xml.
Tomcat loads conf/web.xml as defaults for all webapps. It's best to put
webapp-specific configuration in the WEB-INF/web.xml for the specific
web application. That way, if you deploy it on another container, the
configuration goes with the webapp instead of staying behind in some
container-specific location.
Too bad about not being able to upgrade from TC 4. We were terrified of
upgrading for years, and then just decided to get the process rolling.
We were able to upgrade from 4.1 -> 5.5 and then to 6.0 with little to
no headaches at all. The webapp required no changes: only a slightly
different configuration for the container itself (for instance, logging,
JNDI DataSources, etc.). Your vendor needs to get with the program and
start supporting a version of Tomcat that was written in the last 5 years.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkw97z4ACgkQ9CaO5/Lv0PDhHgCdFBU9qqtax+WBQNd4GHZGb82m
IAEAn1RhfbZfn1G3xHpHEMOfEDnCGErL
=1tbU
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org