Re: Tomcat 7 ssl by default
On 18 December 2014 at 14:06, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Duncan, On 12/18/14 4:18 AM, Lyallex wrote: On 17 December 2014 at 22:37, Christopher Schultz ch...@christopherschultz.net wrote: Duncan, On 12/17/14 12:32 PM, Lyallex wrote: Yea I thought of this, the problem is I currently have a user area that requires a login and all this is currently configured in web.xml and I'm not sure how all this will fit together. I'll try a few things out and see what happens. You can have multiple, overlapping security-constraints. One of them (which covers the whole site) will require HTTPS, the other (existing one) will require authentication and authorization, but only for certain (again, existing) URL patterns. Should be no problem. You are correct, I followed Marks instructions, set up a new security constraint and restarted the server now when I access localhost I get 'redirected' to https://localhost which is what I wanted, it was the whole overlapping security-constraint thing that was vexing me somewhat. I can also log into my user and admin areas as normal which is a relief but I'm getting some problems with AJAX not updating the live areas of my site so I'll have to look into that. Now I know this is probably OT but I'm in the UK and was wondering if anyone has found a UK certification co that has decent customer support as I now have to figure out how to buy and install a certificate with the right params in a standalone Tomcat instance. My server hosts don't offer support in this area as they seem to be obsessed with Apache httpd :-( You can use keytool to create your CSR and give it to the CA, and when they give you back a PEM-encoded .crt file, you can import it back into keytool, you just need to know the magic words to do it. So it doesn't matter what the CA says they officially support; you should be able to handle whatever they give you, since it's all X.509 no matter what. I have the keytool stuff working now, I can create keystores and CSRs and what have you and access my site on staging (with the obvious warnings etc) Actually some of the CAs have tools on their websites example: https://www.digicert.com/csr-creation.htm I use the tool then take the resulting command string to bits so I can figure out what's going on, great fun. (I really must get a life). If you want to get a free certificate, try StartCom (startssl.com). They are trusted by most browsers and offer no-cost standard SSL certificates. You have to pay if you want EV certs, or if you want to revoke a cert you've requested in the past. They can also do code-signing certs and other things, for a fee. OK, thanks for the heads up. Obviously the cert I end up with needs to be as widely recognized as possible so I'm currently looking at all the browsers I have here (on laptops, tablets, smart phones, whatever gizmo) to see which CAs appear most frequently. Thanks to all for the advice, I'll probably be back when it all goes horribly wrong :-) Duncan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 ssl by default
On 17 December 2014 at 22:37, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Duncan, On 12/17/14 12:32 PM, Lyallex wrote: Yea I thought of this, the problem is I currently have a user area that requires a login and all this is currently configured in web.xml and I'm not sure how all this will fit together. I'll try a few things out and see what happens. You can have multiple, overlapping security-constraints. One of them (which covers the whole site) will require HTTPS, the other (existing one) will require authentication and authorization, but only for certain (again, existing) URL patterns. Should be no problem. You are correct, I followed Marks instructions, set up a new security constraint and restarted the server now when I access localhost I get 'redirected' to https://localhost which is what I wanted, it was the whole overlapping security-constraint thing that was vexing me somewhat. I can also log into my user and admin areas as normal which is a relief but I'm getting some problems with AJAX not updating the live areas of my site so I'll have to look into that. Now I know this is probably OT but I'm in the UK and was wondering if anyone has found a UK certification co that has decent customer support as I now have to figure out how to buy and install a certificate with the right params in a standalone Tomcat instance. My server hosts don't offer support in this area as they seem to be obsessed with Apache httpd :-( Many thanks Duncan - -chris On 17 December 2014 at 17:20, Mark Thomas ma...@apache.org wrote: On 17/12/2014 17:10, Lyallex wrote: Tomcat 7.0.42 jdk1.7.0_51 Ubuntu 12.04/CentOS dev/deploy I have been reading more and more about Google and the like prioritising sites that employ https/ssl by default. Currently my site does not use https but delegates payment to a secure payment provider who does, thusly I have avoided going through the pain of certification etc, now it appears I have little option but to implement https site wide. I have managed to get a keystore going and have configured tomcat to serve a self signed certificate when accessing the site by https (default port 443) so http://localhost accesses the home page and https://localhost pops up a warning in Firefox regarding an unknown certification authority. This is all good and I'm pretty sure I understand so far. I have noticed that if I type http://www.google.co.uk in to a browser the address is automatically changed (redirected) to https://www.google.co.uk and I would like the same to happen to my site. Here is the question. Is this 'redirection' something I need to configure myself , (can it be done in server.xml for example) or is this something the people I rent my server from need to do at their end. It depends on exactly how things are set up. The first thing I would try is adding something like the following to your web.xml: security-constraint web-resource-collection web-resource-nameEverything/web-resource-name url-pattern/*/url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint If I have remembered my syntax correctly, that should route every request to https if it isn't already. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUkgWTAAoJEBzwKT+lPKRYVgYP/0MIsch7SiF2bcMqJtDG7Ovn OFSRej7i+6Mjd0efs6h7QKUqAep8C0QKufOFH7Isn2aZa2TYLQXWIKVJtDqbAqz+ 92K/gpWtZ2FGkB/Qg0GNPWNg/em5u/XWJeFjqMPfufZIk/yIZkMByFzDjXiuS/0n rIdadWqzjvkMJcKAfRzO5CuVPcennzovSLB2/ReGA4lYLzc7b81Stxe+6pE0JBg/ XVzu0BFLuBfKHL0KYL/7TFaYQOpbkSc0ROS3UtzNVNyquXMwYjqCDImpcElvnYYZ XX1eMNFnOf6M+sPItHllJiWHzaQYd3vA9axHeE5/F5XiXruYr8V714jRdQH+XCwX FxcalpMw3wbw8OVwFkRZKzlbBhDeWJiurT2vIols5rHjqtrOwDDMrwt7Nzx57VUD 5HTBb+Ghk8lMFfd/VSh6+NjFfqwp5yAvlUhU4PqNrEkjmx150/JBYa9cfVNFwnk7 Wbfb3sWsTzrYPIgw5yOzoI9X3R5gALFBpRqjnhdrJw0wht8s4GNJbpwq4zwQiGto PSyW3mUnMrxarTK4Wq+enRSaQQWgc7BMELdrsH0ixwG8EAA5gCRhfBSV6SVcGAaY tyuNgJv6Pt+C3xQW/BaXOe24mmxuVmjJU0G6A2oFnPiC3J/gbiwPECjFIAR7yEWp 5ZRKipmvLh3vAoJcvvgR =hjT0 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail:
Re: Tomcat 7 ssl by default
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Duncan, On 12/18/14 4:18 AM, Lyallex wrote: On 17 December 2014 at 22:37, Christopher Schultz ch...@christopherschultz.net wrote: Duncan, On 12/17/14 12:32 PM, Lyallex wrote: Yea I thought of this, the problem is I currently have a user area that requires a login and all this is currently configured in web.xml and I'm not sure how all this will fit together. I'll try a few things out and see what happens. You can have multiple, overlapping security-constraints. One of them (which covers the whole site) will require HTTPS, the other (existing one) will require authentication and authorization, but only for certain (again, existing) URL patterns. Should be no problem. You are correct, I followed Marks instructions, set up a new security constraint and restarted the server now when I access localhost I get 'redirected' to https://localhost which is what I wanted, it was the whole overlapping security-constraint thing that was vexing me somewhat. I can also log into my user and admin areas as normal which is a relief but I'm getting some problems with AJAX not updating the live areas of my site so I'll have to look into that. Now I know this is probably OT but I'm in the UK and was wondering if anyone has found a UK certification co that has decent customer support as I now have to figure out how to buy and install a certificate with the right params in a standalone Tomcat instance. My server hosts don't offer support in this area as they seem to be obsessed with Apache httpd :-( You can use keytool to create your CSR and give it to the CA, and when they give you back a PEM-encoded .crt file, you can import it back into keytool, you just need to know the magic words to do it. So it doesn't matter what the CA says they officially support; you should be able to handle whatever they give you, since it's all X.509 no matter what. If you want to get a free certificate, try StartCom (startssl.com). They are trusted by most browsers and offer no-cost standard SSL certificates. You have to pay if you want EV certs, or if you want to revoke a cert you've requested in the past. They can also do code-signing certs and other things, for a fee. - -chris On 17 December 2014 at 17:20, Mark Thomas ma...@apache.org wrote: On 17/12/2014 17:10, Lyallex wrote: Tomcat 7.0.42 jdk1.7.0_51 Ubuntu 12.04/CentOS dev/deploy I have been reading more and more about Google and the like prioritising sites that employ https/ssl by default. Currently my site does not use https but delegates payment to a secure payment provider who does, thusly I have avoided going through the pain of certification etc, now it appears I have little option but to implement https site wide. I have managed to get a keystore going and have configured tomcat to serve a self signed certificate when accessing the site by https (default port 443) so http://localhost accesses the home page and https://localhost pops up a warning in Firefox regarding an unknown certification authority. This is all good and I'm pretty sure I understand so far. I have noticed that if I type http://www.google.co.uk in to a browser the address is automatically changed (redirected) to https://www.google.co.uk and I would like the same to happen to my site. Here is the question. Is this 'redirection' something I need to configure myself , (can it be done in server.xml for example) or is this something the people I rent my server from need to do at their end. It depends on exactly how things are set up. The first thing I would try is adding something like the following to your web.xml: security-constraint web-resource-collection web-resource-nameEverything/web-resource-name url-pattern/*/url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint If I have remembered my syntax correctly, that should route every request to https if it isn't already. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org
Tomcat 7 ssl by default
Tomcat 7.0.42 jdk1.7.0_51 Ubuntu 12.04/CentOS dev/deploy I have been reading more and more about Google and the like prioritising sites that employ https/ssl by default. Currently my site does not use https but delegates payment to a secure payment provider who does, thusly I have avoided going through the pain of certification etc, now it appears I have little option but to implement https site wide. I have managed to get a keystore going and have configured tomcat to serve a self signed certificate when accessing the site by https (default port 443) so http://localhost accesses the home page and https://localhost pops up a warning in Firefox regarding an unknown certification authority. This is all good and I'm pretty sure I understand so far. I have noticed that if I type http://www.google.co.uk in to a browser the address is automatically changed (redirected) to https://www.google.co.uk and I would like the same to happen to my site. Here is the question. Is this 'redirection' something I need to configure myself , (can it be done in server.xml for example) or is this something the people I rent my server from need to do at their end. TIA Duncan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 ssl by default
On 17/12/2014 17:10, Lyallex wrote: Tomcat 7.0.42 jdk1.7.0_51 Ubuntu 12.04/CentOS dev/deploy I have been reading more and more about Google and the like prioritising sites that employ https/ssl by default. Currently my site does not use https but delegates payment to a secure payment provider who does, thusly I have avoided going through the pain of certification etc, now it appears I have little option but to implement https site wide. I have managed to get a keystore going and have configured tomcat to serve a self signed certificate when accessing the site by https (default port 443) so http://localhost accesses the home page and https://localhost pops up a warning in Firefox regarding an unknown certification authority. This is all good and I'm pretty sure I understand so far. I have noticed that if I type http://www.google.co.uk in to a browser the address is automatically changed (redirected) to https://www.google.co.uk and I would like the same to happen to my site. Here is the question. Is this 'redirection' something I need to configure myself , (can it be done in server.xml for example) or is this something the people I rent my server from need to do at their end. It depends on exactly how things are set up. The first thing I would try is adding something like the following to your web.xml: security-constraint web-resource-collection web-resource-nameEverything/web-resource-name url-pattern/*/url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint If I have remembered my syntax correctly, that should route every request to https if it isn't already. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 ssl by default
Yea I thought of this, the problem is I currently have a user area that requires a login and all this is currently configured in web.xml and I'm not sure how all this will fit together. I'll try a few things out and see what happens. Thanks for taking the time to respond Duncan On 17 December 2014 at 17:20, Mark Thomas ma...@apache.org wrote: On 17/12/2014 17:10, Lyallex wrote: Tomcat 7.0.42 jdk1.7.0_51 Ubuntu 12.04/CentOS dev/deploy I have been reading more and more about Google and the like prioritising sites that employ https/ssl by default. Currently my site does not use https but delegates payment to a secure payment provider who does, thusly I have avoided going through the pain of certification etc, now it appears I have little option but to implement https site wide. I have managed to get a keystore going and have configured tomcat to serve a self signed certificate when accessing the site by https (default port 443) so http://localhost accesses the home page and https://localhost pops up a warning in Firefox regarding an unknown certification authority. This is all good and I'm pretty sure I understand so far. I have noticed that if I type http://www.google.co.uk in to a browser the address is automatically changed (redirected) to https://www.google.co.uk and I would like the same to happen to my site. Here is the question. Is this 'redirection' something I need to configure myself , (can it be done in server.xml for example) or is this something the people I rent my server from need to do at their end. It depends on exactly how things are set up. The first thing I would try is adding something like the following to your web.xml: security-constraint web-resource-collection web-resource-nameEverything/web-resource-name url-pattern/*/url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint If I have remembered my syntax correctly, that should route every request to https if it isn't already. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 ssl by default
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Duncan, On 12/17/14 12:32 PM, Lyallex wrote: Yea I thought of this, the problem is I currently have a user area that requires a login and all this is currently configured in web.xml and I'm not sure how all this will fit together. I'll try a few things out and see what happens. You can have multiple, overlapping security-constraints. One of them (which covers the whole site) will require HTTPS, the other (existing one) will require authentication and authorization, but only for certain (again, existing) URL patterns. Should be no problem. - -chris On 17 December 2014 at 17:20, Mark Thomas ma...@apache.org wrote: On 17/12/2014 17:10, Lyallex wrote: Tomcat 7.0.42 jdk1.7.0_51 Ubuntu 12.04/CentOS dev/deploy I have been reading more and more about Google and the like prioritising sites that employ https/ssl by default. Currently my site does not use https but delegates payment to a secure payment provider who does, thusly I have avoided going through the pain of certification etc, now it appears I have little option but to implement https site wide. I have managed to get a keystore going and have configured tomcat to serve a self signed certificate when accessing the site by https (default port 443) so http://localhost accesses the home page and https://localhost pops up a warning in Firefox regarding an unknown certification authority. This is all good and I'm pretty sure I understand so far. I have noticed that if I type http://www.google.co.uk in to a browser the address is automatically changed (redirected) to https://www.google.co.uk and I would like the same to happen to my site. Here is the question. Is this 'redirection' something I need to configure myself , (can it be done in server.xml for example) or is this something the people I rent my server from need to do at their end. It depends on exactly how things are set up. The first thing I would try is adding something like the following to your web.xml: security-constraint web-resource-collection web-resource-nameEverything/web-resource-name url-pattern/*/url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint If I have remembered my syntax correctly, that should route every request to https if it isn't already. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUkgWTAAoJEBzwKT+lPKRYVgYP/0MIsch7SiF2bcMqJtDG7Ovn OFSRej7i+6Mjd0efs6h7QKUqAep8C0QKufOFH7Isn2aZa2TYLQXWIKVJtDqbAqz+ 92K/gpWtZ2FGkB/Qg0GNPWNg/em5u/XWJeFjqMPfufZIk/yIZkMByFzDjXiuS/0n rIdadWqzjvkMJcKAfRzO5CuVPcennzovSLB2/ReGA4lYLzc7b81Stxe+6pE0JBg/ XVzu0BFLuBfKHL0KYL/7TFaYQOpbkSc0ROS3UtzNVNyquXMwYjqCDImpcElvnYYZ XX1eMNFnOf6M+sPItHllJiWHzaQYd3vA9axHeE5/F5XiXruYr8V714jRdQH+XCwX FxcalpMw3wbw8OVwFkRZKzlbBhDeWJiurT2vIols5rHjqtrOwDDMrwt7Nzx57VUD 5HTBb+Ghk8lMFfd/VSh6+NjFfqwp5yAvlUhU4PqNrEkjmx150/JBYa9cfVNFwnk7 Wbfb3sWsTzrYPIgw5yOzoI9X3R5gALFBpRqjnhdrJw0wht8s4GNJbpwq4zwQiGto PSyW3mUnMrxarTK4Wq+enRSaQQWgc7BMELdrsH0ixwG8EAA5gCRhfBSV6SVcGAaY tyuNgJv6Pt+C3xQW/BaXOe24mmxuVmjJU0G6A2oFnPiC3J/gbiwPECjFIAR7yEWp 5ZRKipmvLh3vAoJcvvgR =hjT0 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org