Re: Problems with forwaring HTTP to HTTPS
Marc, thanks for your comment and thanks for pointing me to the right direction. I guess this one is the matching excerpt from the specs: = [snip ] The combination of user-data-constraints that apply to a common urlpattern and http-method shall yield the union of connection types accepted by the individual constraints as acceptable connection types. A security constraint that does not contain a user-data-constraint shall combine with other userdata-constraints to cause the unprotected connection type to be an accepted connection type. = [snap ] As Jeffrey mentioned, I guess I'll have to byte the bullet, but before doing that, I'll try my luck writing a valve forwarding all http to https. Still, I guess the specs do have some room for improvement here, meaning, it would be more than helpful if default settings could be specified inside the global deployment descriptor. Wondering if I'm the first person missing such a feature. Thanks! Gregor On Thu, Dec 1, 2011 at 3:43 PM, Mark Thomas wrote: > On 30/11/2011 18:32, Gregor S. wrote: >> My understanding was, that in the global web.xml >> ($catalina.home/conf/web.xml) the defaults are specified and promoted >> to all webapps. But it seems as the webapp doesn't inherit the element >> from the global web.xml if it specifies it's >> own - my expectation was, that it inherits >> those elements not specified inside the webapp's >> deployment-descriptor. > > Your understanding is wrong. > > You need to read the 2.5 servlet specification, particularly section > SRV.12.7.1. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD skype:rc46fi gplus.to/gregor twitter.com/#/2smart4u - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problems with forwaring HTTP to HTTPS
Jeffrey Janner wrote: >I might be a little off You are a long way off and also need to read the Servlet 2.5 spec. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problems with forwaring HTTP to HTTPS
I might be a little off (and I'm sure Pid or Chuck will correct me), but
security-constraints are applied based on matching url-patterns, and you're
using the same pattern in both places. Therefore, the webapp's definition will
take precedence over the global.
Looks like it is best to bite the bullet and update each one individually.
> -Original Message-
> From: Gregor S. [mailto:rc4...@googlemail.com]
> Sent: Wednesday, November 30, 2011 12:32 PM
> To: Tomcat Users List
> Subject: Problems with forwaring HTTP to HTTPS
>
> Hi list,
>
> I'm a bit puzzled.
>
> I want to forward all incoming HTTP-traffic to HTTPS.
>
> Within my $catalina.home/conf/server.xml I've specified the following
> connectors:
>
> connectionTimeout="2"
>redirectPort="443" />
>
> maxThreads="150"
>enableLookups="false" disableUploadTimeout="true"
>acceptCount="100" scheme="https" secure="true"
>SSLEnabled="true"
>SSLCertificateFile="${catalina.base}/conf/test.dom.crt"
>
> SSLCertificateKeyFile="${catalina.base}/conf/test.dom.key" />
>
> Then I specified in $catalina.home/conf/web.xml the following
> transport-guarantee:
>
>
>
> Protected Context resource-name>
> /*
>
>
> CONFIDENTIAL guarantee>
>
>
>
> In my webapp, additionally I also specified some additional
> security-constraints as follows:
>
>
>
> Protected Area
> /*
>
>
> someuser
>
>
>
> However, when I call the webapp using http://mywebapp.something, it is
> not redirected to HTTPS but the HTTP-scheme is used.
>
> However, when I remove the security-constraints from
> $catalina.base/conf/web.xml and change the webapp's
> deployment-descriptor to
>
>
>
> Protected Area
> /*
>
>
> CONFIDENTIAL
>
>
>
> domuser
>
>
>
> it's working.
>
> My understanding was, that in the global web.xml
> ($catalina.home/conf/web.xml) the defaults are specified and promoted
> to all webapps. But it seems as the webapp doesn't inherit the element
> from the global web.xml if it specifies it's
> own - my expectation was, that it inherits
> those elements not specified inside the webapp's
> deployment-descriptor.
>
> Is is such, that if I specify in my local
> webapp, the global setting in $catalina.home/conf/web.xml are always
> overwritten? If not - where does the inheritiance start and where does
> it end?
>
> My business-case is, that I do have a whole bunch of webapps which
> have to be re-directed to HTTPS, each of them having their own
> since you'll have to login to access them, and
> additionally multiple domains, so that changing each
> deployment-descriptor is giving me a major headache.
>
> I couldn't find anything in the documentation - or let me re-phrase
> it: I understood it that way that each element is inherited from the
> global deployment-descriptor if not specified in the webapp's own
> deployment-descriptor.
>
> If somebody could shed some light here or point me to to right docs,
> that would be great.
>
> My configuration:
>
> Using CATALINA_BASE: /home/tomcat/local/apache-tomcat-6.0.33
> Using CATALINA_HOME: /home/tomcat/local/apache-tomcat-6.0.33
> Using CATALINA_TMPDIR: /home/tomcat/local/apache-tomcat-6.0.33/temp
> Using JRE_HOME:/usr/lib/jvm/java-6-sun
> Using CLASSPATH: /home/tomcat/local/apache-tomcat-
> 6.0.33/bin/bootstrap.jar
> Server version: Apache Tomcat/6.0.33
> Server built: Aug 16 2011 02:16:34
> Server number: 6.0.33.0
> OS Name:Linux
> OS Version: 2.6.26-2-686
> Architecture: i386
> JVM Version:1.6.0_26-b03
> JVM Vendor: Sun Microsystems Inc.
>
> I'm also using the APR, thus using OpenSSL as SSL-implementation.
>
> TIA
>
> Gregor
> --
> just because you're paranoid, don't mean they're not after you...
> gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD
> skype:rc46fi
> gplus.to/gregor
> twitter.com/#/2smart4u
>
> -
> To u
Re: Problems with forwaring HTTP to HTTPS
On 30/11/2011 18:32, Gregor S. wrote: > My understanding was, that in the global web.xml > ($catalina.home/conf/web.xml) the defaults are specified and promoted > to all webapps. But it seems as the webapp doesn't inherit the element > from the global web.xml if it specifies it's > own - my expectation was, that it inherits > those elements not specified inside the webapp's > deployment-descriptor. Your understanding is wrong. You need to read the 2.5 servlet specification, particularly section SRV.12.7.1. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Problems with forwaring HTTP to HTTPS
Hi list, I'm a bit puzzled. I want to forward all incoming HTTP-traffic to HTTPS. Within my $catalina.home/conf/server.xml I've specified the following connectors: Then I specified in $catalina.home/conf/web.xml the following transport-guarantee: Protected Context /* CONFIDENTIAL In my webapp, additionally I also specified some additional security-constraints as follows: Protected Area /* someuser However, when I call the webapp using http://mywebapp.something, it is not redirected to HTTPS but the HTTP-scheme is used. However, when I remove the security-constraints from $catalina.base/conf/web.xml and change the webapp's deployment-descriptor to Protected Area /* CONFIDENTIAL domuser it's working. My understanding was, that in the global web.xml ($catalina.home/conf/web.xml) the defaults are specified and promoted to all webapps. But it seems as the webapp doesn't inherit the element from the global web.xml if it specifies it's own - my expectation was, that it inherits those elements not specified inside the webapp's deployment-descriptor. Is is such, that if I specify in my local webapp, the global setting in $catalina.home/conf/web.xml are always overwritten? If not - where does the inheritiance start and where does it end? My business-case is, that I do have a whole bunch of webapps which have to be re-directed to HTTPS, each of them having their own since you'll have to login to access them, and additionally multiple domains, so that changing each deployment-descriptor is giving me a major headache. I couldn't find anything in the documentation - or let me re-phrase it: I understood it that way that each element is inherited from the global deployment-descriptor if not specified in the webapp's own deployment-descriptor. If somebody could shed some light here or point me to to right docs, that would be great. My configuration: Using CATALINA_BASE: /home/tomcat/local/apache-tomcat-6.0.33 Using CATALINA_HOME: /home/tomcat/local/apache-tomcat-6.0.33 Using CATALINA_TMPDIR: /home/tomcat/local/apache-tomcat-6.0.33/temp Using JRE_HOME:/usr/lib/jvm/java-6-sun Using CLASSPATH: /home/tomcat/local/apache-tomcat-6.0.33/bin/bootstrap.jar Server version: Apache Tomcat/6.0.33 Server built: Aug 16 2011 02:16:34 Server number: 6.0.33.0 OS Name:Linux OS Version: 2.6.26-2-686 Architecture: i386 JVM Version:1.6.0_26-b03 JVM Vendor: Sun Microsystems Inc. I'm also using the APR, thus using OpenSSL as SSL-implementation. TIA Gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD skype:rc46fi gplus.to/gregor twitter.com/#/2smart4u - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
