Re: how to auto redirect to https from http
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, Dave wrote: | The url is not changed when I point to | http://www.mydomain.com/login.html in browser. The .html is mapped to | servlet. I expected it to change to https:// I think David identified part of the problem: your XML is not set up properly. Check out the DTD (or Schema) to see where the transport-guarantee goes, and try again. | Even start with https, if url-rewriting is used for session | tracking(sessionid in url), it is not secure anymore, right? Correct. To really have a secure system, you need to use HTTPS all the time and always use cookie-based session tracking. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkewsvgACgkQ9CaO5/Lv0PA/yQCfWHMKGjDBPg0k2O5XJtlf9hFr sNMAn044vYvhYx52FD3FWRjKFwX52ymx =42yE -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to auto redirect to https from http
Chris, The url is not changed when I point to http://www.mydomain.com/login.html in browser. The .html is mapped to servlet. I expected it to change to https:// So it is not secure to start as http and then switch to https to use the same http session because session id to visible to man-in-the-middle. Am I right? If not secure, why is it allowed to be working this way? Even start with https, if url-rewriting is used for session tracking(sessionid in url), it is not secure anymore, right? Thanks, Dave Christopher Schultz [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, Dave wrote: | I moved the inside the as the following: | | | | Automatic SLL Forwarding | /login.html | | CONFIDENTIAL | | | | | But http://www.mydomain.com/login.html did not redirect to secure URL. :( It's possible that Tomcat ignores that setting during its own authentication process (which would suck if it were the case). What the the URL say when you are being asked to login? | As you mentioned, If I start as http, then redirect to https when | login, and keep https after login. Does that mean https is using the | http session? Well, it's not a http session per-se... it's the session that was created while you were in http mode. The answer is yes: Tomcat will continue to use that session. If, however, you kill any sessions (yourself) as you switch to https, then any fallback to http will lose the session (because the browser will refuse to send a secure cookie through a non-secure channel. | Is there any security hole? If a man-in-the-middle knows the session | id from http and the same session id is used by https? This does not require man-in-the-middle. It's just plain-old session hijacking. This can happen whether you are using SSL or not -- if someone can guess your session id, you're pwned. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerLLYACgkQ9CaO5/Lv0PBSbQCgs51ON7Uwam/6mMs+5w4e0dv4 AwgAoK//OfuOISynFSbnV+jU6kqI2N6N =14Kp -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
Re: how to auto redirect to https from http
Hello Dave, this is not exactly the answer you are looking for but I have been concerned with public web security for a long time and I have finally resigned myself to the fact that if you are using login pages that process user ids and passwords and other confidential info that man-in-the-middle and any type of network traffic sniffing is extremely dangerous. I run several Java apps publicly and all are 100% https/SSL all the time. It is a performance hit but I just up the hardware to match: multi-core Linux boxes with smp and 4+ gigs mem and other virtualization tricks as afforded by XEN and even Tomcat itself (6.0). Also please note: JBoss is very good at multi-instance web application servers on multiple ports with only a single machine install. If you have very serious Java web application concerns and full-time https encryption is warrented then you might give the folks at: www.azulsystems.com a call. HTH, David. Dave wrote .. Hi Chris, I moved the user-data-constraint inside the web-resource-collection as the following: security-constraint web-resource-collection web-resource-nameAutomatic SLL Forwarding/web-resource-name url-pattern/login.html/url-pattern user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /web-resource-collection /security-constraint But http://www.mydomain.com/login.html did not redirect to secure URL. As you mentioned, If I start as http, then redirect to https when login, and keep https after login. Does that mean https is using the http session? Is there any security hole? If a man-in-the-middle knows the session id from http and the same session id is used by https? Thanks for help. Dave Christopher Schultz [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, Dave wrote: | I tried the method, it worked. | But when I tried to protect login page only, | | | protected pages | /login.jsp | | | restarted tomcat, and went to http://www.mydomain.com | | it was redirected to secure URL. It should stay insecure until going to login page. | | anything I was missing? Is that your entire configuration? If you've told Tomcat that /* should be CONFIDENTIAL, then all traffic will be redirected to HTTPS. Move the CONFIDENTIAL part into the that represents your login page, and leave the rest of the app non-CONFIDENTIAL. Remember that Tomcat will not automatically go from HTTPS to HTTP, so you'll have to make that happen yourself. Also remember that if your session id cookie was created in HTTPS mode, your browser will not send it back to the server when you're in HTTP mode. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerHyAACgkQ9CaO5/Lv0PClgACfRQm66ro0lctDvrEnA0paYC0Y ziIAn35jRaXBkefSfaz6l1cn9fOokmfe =0RZ/ -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Looking for last minute shopping deals? Find them fast with Yahoo! Search. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to auto redirect to https from http
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, Dave wrote: | I moved the user-data-constraint inside the web-resource-collection as the following: | |security-constraint | web-resource-collection | web-resource-nameAutomatic SLL Forwarding/web-resource-name | url-pattern/login.html/url-pattern | user-data-constraint | transport-guaranteeCONFIDENTIAL/transport-guarantee | /user-data-constraint | /web-resource-collection | /security-constraint | | But http://www.mydomain.com/login.html did not redirect to secure URL. :( It's possible that Tomcat ignores that setting during its own authentication process (which would suck if it were the case). What the the URL say when you are being asked to login? | As you mentioned, If I start as http, then redirect to https when | login, and keep https after login. Does that mean https is using the | http session? Well, it's not a http session per-se... it's the session that was created while you were in http mode. The answer is yes: Tomcat will continue to use that session. If, however, you kill any sessions (yourself) as you switch to https, then any fallback to http will lose the session (because the browser will refuse to send a secure cookie through a non-secure channel. | Is there any security hole? If a man-in-the-middle knows the session | id from http and the same session id is used by https? This does not require man-in-the-middle. It's just plain-old session hijacking. This can happen whether you are using SSL or not -- if someone can guess your session id, you're pwned. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerLLYACgkQ9CaO5/Lv0PBSbQCgs51ON7Uwam/6mMs+5w4e0dv4 AwgAoK//OfuOISynFSbnV+jU6kqI2N6N =14Kp -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to auto redirect to https from http
Hi Chris, I moved the user-data-constraint inside the web-resource-collection as the following: security-constraint web-resource-collection web-resource-nameAutomatic SLL Forwarding/web-resource-name url-pattern/login.html/url-pattern user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /web-resource-collection /security-constraint But http://www.mydomain.com/login.html did not redirect to secure URL. As you mentioned, If I start as http, then redirect to https when login, and keep https after login. Does that mean https is using the http session? Is there any security hole? If a man-in-the-middle knows the session id from http and the same session id is used by https? Thanks for help. Dave Christopher Schultz [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, Dave wrote: | I tried the method, it worked. | But when I tried to protect login page only, | | | protected pages | /login.jsp | | | restarted tomcat, and went to http://www.mydomain.com | | it was redirected to secure URL. It should stay insecure until going to login page. | | anything I was missing? Is that your entire configuration? If you've told Tomcat that /* should be CONFIDENTIAL, then all traffic will be redirected to HTTPS. Move the CONFIDENTIAL part into the that represents your login page, and leave the rest of the app non-CONFIDENTIAL. Remember that Tomcat will not automatically go from HTTPS to HTTP, so you'll have to make that happen yourself. Also remember that if your session id cookie was created in HTTPS mode, your browser will not send it back to the server when you're in HTTP mode. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerHyAACgkQ9CaO5/Lv0PClgACfRQm66ro0lctDvrEnA0paYC0Y ziIAn35jRaXBkefSfaz6l1cn9fOokmfe =0RZ/ -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Looking for last minute shopping deals? Find them fast with Yahoo! Search.
Re: how to auto redirect to https from http
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, Dave wrote: | I tried the method, it worked. | But when I tried to protect login page only, | | web-resource-collection | web-resource-nameprotected pages/web-resource-name | url-pattern/login.jsp/url-pattern | /web-resource-collection | | restarted tomcat, and went to http://www.mydomain.com | | it was redirected to secure URL. It should stay insecure until going to login page. | | anything I was missing? Is that your entire web-resource-collection configuration? If you've told Tomcat that /* should be CONFIDENTIAL, then all traffic will be redirected to HTTPS. Move the CONFIDENTIAL part into the web-resource-collection that represents your login page, and leave the rest of the app non-CONFIDENTIAL. Remember that Tomcat will not automatically go from HTTPS to HTTP, so you'll have to make that happen yourself. Also remember that if your session id cookie was created in HTTPS mode, your browser will not send it back to the server when you're in HTTP mode. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerHyAACgkQ9CaO5/Lv0PClgACfRQm66ro0lctDvrEnA0paYC0Y ziIAn35jRaXBkefSfaz6l1cn9fOokmfe =0RZ/ -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to auto redirect to https from http
Hi Hazem,
Thanks,
I tried the method, it worked.
But when I tried to protect login page only,
web-resource-collection
web-resource-nameprotected pages/web-resource-name
url-pattern/login.jsp/url-pattern
/web-resource-collection
restarted tomcat, and went to http://www.mydomain.com
it was redirected to secure URL. It should stay insecure until going to login
page.
anything I was missing?
Thanks
Dave
Hazem DAOUD [EMAIL PROTECTED] wrote:
Hi Dave,
Try to add this to web.xml under tomcat_install_dir/conf:
/
Protected Context
/*
CONFIDENTIAL
/
That works for me.
Regards.
--Hazem.
Dave a écrit :
Hi,
when user types http://www.mydomain.com, how to redirect to secure url
https://www.mydomain.com? I know that a servlet filter can do that. Is there
an easier way?
In server.xml, redirectPort=8443 for port 80, it did not work as I expected.
maxThreads=250 strategy=ms maxHttpHeaderSize=8192
emptySessionPath=true
enableLookups=false redirectPort=8443 acceptCount=100
connectionTimeout=2 disableUploadTimeout=true/
maxThreads=100 strategy=ms maxHttpHeaderSize=8192
emptySessionPath=true
scheme=https secure=true clientAuth=false
keystoreFile=${jboss.server.home.dir}/keystore
keystorePass=123456 sslProtocol = TLS /
Thanks for help.
Dave
-
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
-
Looking for last minute shopping deals? Find them fast with Yahoo! Search.
Re: how to auto redirect to https from http
Hi Dave,
Try to add this to web.xml under tomcat_install_dir/conf:
/security-constraint
web-resource-collection
web-resource-nameProtected Context/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
!-- auth-constraint goes here if you requre authentication --
user-data-constraint
transport-guaranteeCONFIDENTIAL/transport-guarantee
/user-data-constraint
/security-constraint/
That works for me.
Regards.
--Hazem.
Dave a écrit :
Hi,
when user types http://www.mydomain.com, how to redirect to secure url
https://www.mydomain.com? I know that a servlet filter can do that. Is there
an easier way?
In server.xml, redirectPort=8443 for port 80, it did not work as I expected.
Connector port=80 address=${jboss.bind.address}
maxThreads=250 strategy=ms maxHttpHeaderSize=8192
emptySessionPath=true
enableLookups=false redirectPort=8443 acceptCount=100
connectionTimeout=2 disableUploadTimeout=true/
Connector port=8443 address=${jboss.bind.address}
maxThreads=100 strategy=ms maxHttpHeaderSize=8192
emptySessionPath=true
scheme=https secure=true clientAuth=false
keystoreFile=${jboss.server.home.dir}/keystore
keystorePass=123456 sslProtocol = TLS /
Thanks for help.
Dave
-
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
Re: how to auto redirect to https from http
Christopher Schultz [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, Dave wrote: | I moved the user-data-constraint inside the web-resource-collection as the following: | |security-constraint | web-resource-collection | web-resource-nameAutomatic SLL Forwarding/web-resource-name | url-pattern/login.html/url-pattern | user-data-constraint | transport-guaranteeCONFIDENTIAL/transport-guarantee | /user-data-constraint | /web-resource-collection | /security-constraint | | But http://www.mydomain.com/login.html did not redirect to secure URL. :( It's possible that Tomcat ignores that setting during its own authentication process (which would suck if it were the case). What the the URL say when you are being asked to login? Well, the first problem is that the user-data-constraint has to come after the /web-resource-collection according to the spec. If you nest it in the web-resource-collection, Tomcat will quietly ignore it (there are enough xml validators for you to check your web.xml syntax). However, this won't work at all in Tomcat if you are using Container auth. The reason is that Tomcat (at least 5.5 and higher) does a forward to the login page, not a redirect. As a result, Tomcat never checks the security permissions for the /login.html URL. | As you mentioned, If I start as http, then redirect to https when | login, and keep https after login. Does that mean https is using the | http session? Well, it's not a http session per-se... it's the session that was created while you were in http mode. The answer is yes: Tomcat will continue to use that session. If, however, you kill any sessions (yourself) as you switch to https, then any fallback to http will lose the session (because the browser will refuse to send a secure cookie through a non-secure channel. | Is there any security hole? If a man-in-the-middle knows the session | id from http and the same session id is used by https? This does not require man-in-the-middle. It's just plain-old session hijacking. This can happen whether you are using SSL or not -- if someone can guess your session id, you're pwned. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerLLYACgkQ9CaO5/Lv0PBSbQCgs51ON7Uwam/6mMs+5w4e0dv4 AwgAoK//OfuOISynFSbnV+jU6kqI2N6N =14Kp -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
