Re: how to auto redirect to https from http
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, Dave wrote: | The url is not changed when I point to | http://www.mydomain.com/login.html in browser. The .html is mapped to | servlet. I expected it to change to https:// I think David identified part of the problem: your XML is not set up properly. Check out the DTD (or Schema) to see where the goes, and try again. | Even start with https, if url-rewriting is used for session | tracking(sessionid in url), it is not secure anymore, right? Correct. To really have a secure system, you need to use HTTPS all the time and always use cookie-based session tracking. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkewsvgACgkQ9CaO5/Lv0PA/yQCfWHMKGjDBPg0k2O5XJtlf9hFr sNMAn044vYvhYx52FD3FWRjKFwX52ymx =42yE -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to auto redirect to https from http
"Christopher Schultz" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Dave, > > Dave wrote: > | I moved the inside the > as the following: > | > | > | > | Automatic SLL > Forwarding > | /login.html > | > | > CONFIDENTIAL > | > | > | > | > | But http://www.mydomain.com/login.html did not redirect to secure > URL. > > :( > > It's possible that Tomcat ignores that setting during its own > authentication process (which would suck if it were the case). What the > the URL say when you are being asked to login? > Well, the first problem is that the has to come after the according to the spec. If you nest it in the , Tomcat will quietly ignore it (there are enough xml validators for you to check your web.xml syntax). However, this won't work at all in Tomcat if you are using Container auth. The reason is that Tomcat (at least 5.5 and higher) does a forward to the login page, not a redirect. As a result, Tomcat never checks the security permissions for the /login.html URL. > | As you mentioned, If I start as http, then redirect to https when > | login, and keep https after login. Does that mean https is using the > | http session? > > Well, it's not a "http session" per-se... it's the session that was > created while you were in http mode. The answer is yes: Tomcat will > continue to use that session. If, however, you kill any sessions > (yourself) as you switch to https, then any fallback to http will lose > the session (because the browser will refuse to send a "secure" cookie > through a non-secure channel. > > | Is there any security hole? If a man-in-the-middle knows the session > | id from http and the same session id is used by https? > > This does not require man-in-the-middle. It's just plain-old session > hijacking. This can happen whether you are using SSL or not -- if > someone can guess your session id, you're pwned. > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.8 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkerLLYACgkQ9CaO5/Lv0PBSbQCgs51ON7Uwam/6mMs+5w4e0dv4 > AwgAoK//OfuOISynFSbnV+jU6kqI2N6N > =14Kp > -END PGP SIGNATURE- > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to auto redirect to https from http
Chris, The url is not changed when I point to http://www.mydomain.com/login.html in browser. The .html is mapped to servlet. I expected it to change to https:// So it is not secure to start as http and then switch to https to use the same http session because session id to visible to man-in-the-middle. Am I right? If not secure, why is it allowed to be working this way? Even start with https, if url-rewriting is used for session tracking(sessionid in url), it is not secure anymore, right? Thanks, Dave Christopher Schultz <[EMAIL PROTECTED]> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, Dave wrote: | I moved the inside the as the following: | | | | Automatic SLL Forwarding | /login.html | | CONFIDENTIAL | | | | | But http://www.mydomain.com/login.html did not redirect to secure URL. :( It's possible that Tomcat ignores that setting during its own authentication process (which would suck if it were the case). What the the URL say when you are being asked to login? | As you mentioned, If I start as http, then redirect to https when | login, and keep https after login. Does that mean https is using the | http session? Well, it's not a "http session" per-se... it's the session that was created while you were in http mode. The answer is yes: Tomcat will continue to use that session. If, however, you kill any sessions (yourself) as you switch to https, then any fallback to http will lose the session (because the browser will refuse to send a "secure" cookie through a non-secure channel. | Is there any security hole? If a man-in-the-middle knows the session | id from http and the same session id is used by https? This does not require man-in-the-middle. It's just plain-old session hijacking. This can happen whether you are using SSL or not -- if someone can guess your session id, you're pwned. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerLLYACgkQ9CaO5/Lv0PBSbQCgs51ON7Uwam/6mMs+5w4e0dv4 AwgAoK//OfuOISynFSbnV+jU6kqI2N6N =14Kp -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
Re: how to auto redirect to https from http
Hello Dave, this is not exactly the answer you are looking for but I have been concerned with public web security for a long time and I have finally resigned myself to the fact that if you are using login pages that process user ids and passwords and other confidential info that man-in-the-middle and any type of network traffic sniffing is extremely dangerous. I run several Java apps publicly and all are 100% https/SSL all the time. It is a performance hit but I just up the hardware to match: multi-core Linux boxes with smp and 4+ gigs mem and other virtualization tricks as afforded by XEN and even Tomcat itself (6.0). Also please note: JBoss is very good at multi-instance web application servers on multiple ports with only a single machine install. If you have very serious Java web application concerns and full-time https encryption is warrented then you might give the folks at: www.azulsystems.com a call. HTH, David. Dave wrote .. > Hi Chris, > > I moved the inside the as > the > following: > > > > Automatic SLL > Forwarding > /login.html > > > CONFIDENTIAL > > > > > But http://www.mydomain.com/login.html did not redirect to secure URL. > > As you mentioned, If I start as http, then redirect to https when login, > and > keep https after login. Does that mean https is using the http session? Is > there > any security hole? If a man-in-the-middle knows the session id from http and > the > same session id is used by https? > > Thanks for help. > Dave > > Christopher Schultz <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Dave, > > Dave wrote: > | I tried the method, it worked. > | But when I tried to protect login page only, > | > | > | protected > pages > | /login.jsp > | > | > | restarted tomcat, and went to http://www.mydomain.com > | > | it was redirected to secure URL. It should stay insecure until going > to login page. > | > | anything I was missing? > > Is that your entire configuration? If you've > told Tomcat that /* should be CONFIDENTIAL, then all traffic will be > redirected to HTTPS. > > Move the CONFIDENTIAL part into the that > represents your login page, and leave the rest of the app non-CONFIDENTIAL. > > Remember that Tomcat will not automatically go from HTTPS to HTTP, so > you'll have to make that happen yourself. Also remember that if your > session id cookie was created in HTTPS mode, your browser will not send > it back to the server when you're in HTTP mode. > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.8 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkerHyAACgkQ9CaO5/Lv0PClgACfRQm66ro0lctDvrEnA0paYC0Y > ziIAn35jRaXBkefSfaz6l1cn9fOokmfe > =0RZ/ > -END PGP SIGNATURE- > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > - > Looking for last minute shopping deals? Find them fast with Yahoo! Search. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to auto redirect to https from http
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, Dave wrote: | I moved the inside the as the following: | | | | Automatic SLL Forwarding | /login.html | | CONFIDENTIAL | | | | | But http://www.mydomain.com/login.html did not redirect to secure URL. :( It's possible that Tomcat ignores that setting during its own authentication process (which would suck if it were the case). What the the URL say when you are being asked to login? | As you mentioned, If I start as http, then redirect to https when | login, and keep https after login. Does that mean https is using the | http session? Well, it's not a "http session" per-se... it's the session that was created while you were in http mode. The answer is yes: Tomcat will continue to use that session. If, however, you kill any sessions (yourself) as you switch to https, then any fallback to http will lose the session (because the browser will refuse to send a "secure" cookie through a non-secure channel. | Is there any security hole? If a man-in-the-middle knows the session | id from http and the same session id is used by https? This does not require man-in-the-middle. It's just plain-old session hijacking. This can happen whether you are using SSL or not -- if someone can guess your session id, you're pwned. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerLLYACgkQ9CaO5/Lv0PBSbQCgs51ON7Uwam/6mMs+5w4e0dv4 AwgAoK//OfuOISynFSbnV+jU6kqI2N6N =14Kp -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to auto redirect to https from http
Hi Chris, I moved the inside the as the following: Automatic SLL Forwarding /login.html CONFIDENTIAL But http://www.mydomain.com/login.html did not redirect to secure URL. As you mentioned, If I start as http, then redirect to https when login, and keep https after login. Does that mean https is using the http session? Is there any security hole? If a man-in-the-middle knows the session id from http and the same session id is used by https? Thanks for help. Dave Christopher Schultz <[EMAIL PROTECTED]> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, Dave wrote: | I tried the method, it worked. | But when I tried to protect login page only, | | | protected pages | /login.jsp | | | restarted tomcat, and went to http://www.mydomain.com | | it was redirected to secure URL. It should stay insecure until going to login page. | | anything I was missing? Is that your entire configuration? If you've told Tomcat that /* should be CONFIDENTIAL, then all traffic will be redirected to HTTPS. Move the CONFIDENTIAL part into the that represents your login page, and leave the rest of the app non-CONFIDENTIAL. Remember that Tomcat will not automatically go from HTTPS to HTTP, so you'll have to make that happen yourself. Also remember that if your session id cookie was created in HTTPS mode, your browser will not send it back to the server when you're in HTTP mode. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerHyAACgkQ9CaO5/Lv0PClgACfRQm66ro0lctDvrEnA0paYC0Y ziIAn35jRaXBkefSfaz6l1cn9fOokmfe =0RZ/ -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Looking for last minute shopping deals? Find them fast with Yahoo! Search.
Re: how to auto redirect to https from http
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, Dave wrote: | I tried the method, it worked. | But when I tried to protect login page only, | | | protected pages | /login.jsp | | | restarted tomcat, and went to http://www.mydomain.com | | it was redirected to secure URL. It should stay insecure until going to login page. | | anything I was missing? Is that your entire configuration? If you've told Tomcat that /* should be CONFIDENTIAL, then all traffic will be redirected to HTTPS. Move the CONFIDENTIAL part into the that represents your login page, and leave the rest of the app non-CONFIDENTIAL. Remember that Tomcat will not automatically go from HTTPS to HTTP, so you'll have to make that happen yourself. Also remember that if your session id cookie was created in HTTPS mode, your browser will not send it back to the server when you're in HTTP mode. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerHyAACgkQ9CaO5/Lv0PClgACfRQm66ro0lctDvrEnA0paYC0Y ziIAn35jRaXBkefSfaz6l1cn9fOokmfe =0RZ/ -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to auto redirect to https from http
Hi Hazem, Thanks, I tried the method, it worked. But when I tried to protect login page only, protected pages /login.jsp restarted tomcat, and went to http://www.mydomain.com it was redirected to secure URL. It should stay insecure until going to login page. anything I was missing? Thanks Dave Hazem DAOUD <[EMAIL PROTECTED]> wrote: Hi Dave, Try to add this to web.xml under tomcat_install_dir/conf: " / Protected Context /* CONFIDENTIAL / " That works for me. Regards. --Hazem. Dave a écrit : > Hi, > when user types http://www.mydomain.com, how to redirect to secure url > https://www.mydomain.com? I know that a servlet filter can do that. Is there > an easier way? > > In server.xml, redirectPort="8443" for port 80, it did not work as I expected. > > > maxThreads="250" strategy="ms" maxHttpHeaderSize="8192" > emptySessionPath="true" > enableLookups="false" redirectPort="8443" acceptCount="100" > connectionTimeout="2" disableUploadTimeout="true"/> > > > maxThreads="100" strategy="ms" maxHttpHeaderSize="8192" > emptySessionPath="true" > scheme="https" secure="true" clientAuth="false" > keystoreFile="${jboss.server.home.dir}/keystore" > keystorePass="123456" sslProtocol = "TLS" /> > > Thanks for help. > > Dave > > > - > Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. > - Looking for last minute shopping deals? Find them fast with Yahoo! Search.
Re: how to auto redirect to https from http
Hi Dave, Try to add this to web.xml under tomcat_install_dir/conf: " / Protected Context /* CONFIDENTIAL / " That works for me. Regards. --Hazem. Dave a écrit : Hi, when user types http://www.mydomain.com, how to redirect to secure url https://www.mydomain.com? I know that a servlet filter can do that. Is there an easier way? In server.xml, redirectPort="8443" for port 80, it did not work as I expected. maxThreads="250" strategy="ms" maxHttpHeaderSize="8192" emptySessionPath="true" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="2" disableUploadTimeout="true"/> maxThreads="100" strategy="ms" maxHttpHeaderSize="8192" emptySessionPath="true" scheme="https" secure="true" clientAuth="false" keystoreFile="${jboss.server.home.dir}/keystore" keystorePass="123456" sslProtocol = "TLS" /> Thanks for help. Dave - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.