-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robedan,
On 7/14/2010 1:29 PM, Robedan wrote: >> Can you post all >> active <Connector> elements from your conf/server.xml file? > > Attached. [inlined here:] > <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" > port="80" minProcessors="5" maxProcessors="75" enableLookups="true" > redirectPort="443" acceptCount="100" debug="0" > connectionTimeout="20000" useURIValidationHack="false" > disableUploadTimeout="true"/> Okay, that's a standard HTTP connector. If the webapp demands a transport-guarantee of CONFIDENTIAL or INTEGRAL, the connection should be automatically upgraded by Tomcat by sending the client a redirect to the same URL but with https:// and the redirectPort set above. So, if you request http://host/myapp/foo.jsp, then Tomcat should redirect to https://host/myapp/foo.jsp given the above configuration (use of the default redirectPort of 443 does not result in :443 being added to the end of the host portion, since it's the default). The above plus the <transport-guarantee> should be all you need. What is your experience when you use these two settings together? > <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" > port="443" minProcessors="5" maxProcessors="75" enableLookups="true" > acceptCount="100" debug="0" scheme="https" secure="true" > useURIValidationHack="false" disableUploadTimeout="true"> > [...] > </Connector> Technically, the configuration of the HTTPS connector is not relevant: Tomcat won't ever "downgrade" your connection for you. >> The web.xml file should be in >> your webapp's deployment directory under WEB-INF/web.xml. > > I've tried it there, but with the same results. What were those results? Give us an example of a URL that should redirect to a secure URL. Can you use wget or something similar to show what the server interaction is? > This is the only application that will ever be on this server, so > either should work, yes? Yes, either should work, but there's no reason to be sloppy, is there? >> Your vendor needs to get with the program and >> start supporting a version of Tomcat that was written in the last 5 years. > > Amen! I may end up trying what you did, but I'm not familiar with Tomcat yet. > I'm a quick study though... Is this a custom webapp that your company owns, or is this something you've bought from someone else, and they refuse to support a newer version of Tomcat? I would imagine that security and performance would be goals worthy of their attention. Maybe they already have your money, though ;) - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkw9+7QACgkQ9CaO5/Lv0PCN5wCggQeCkCZRUwbNg8zsKcXvRzPt HAkAoIJz9mXkxJn3q9oXGQ5iTa25+weH =6NBV -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
