I have psi-probe version 2.4.0 deployed in our Tomcat webapps, and made the
following changes to my server.xml + web.xml
*Web.xml (enable hsts):*
* <filter> <filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param> <param-name>hstsEnabled</param-name>
<param-value>true</param-value> </init-param> <init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value> </init-param>
<init-param> <param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value> </init-param>
<init-param> <param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value> </init-param>
<async-supported>true</async-supported> </filter>*
*Force TLS on our domain:*
* <security-constraint> <web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern> </web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint> </security-constraint>*
*Finally, in server xml, redirect port 80 to port 443:*
*<Connector port="80" protocol="org.apache.coyote.http11.Http11AprProtocol"
enableLookups="false" redirectPort="443" />*
This works fine for our webapps, but when simultaneous using hsts and the
ssl forward I get the following error in psi-probe:
*You do not have sufficient privileges to access this page. Please use the
navigation bar to choose another area or click "back" button in your
browser. *
Disabling either HSTS or https forward solves this issue, so this has
nothing to do with user roles not being correct. I can't figure out why
this is happening.
Kind regards,
Harrie Robins
