Robedan, I recall that we started doing the following in Tomcat 4.1:
In the webapps WEB-INF/web.xml we inserted the following right before </web-app>: <security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> This forced http:// requests to be https:// for that webapps. I hope it works for you Regards, Dave On Jul 14, 2010, at 11:02 AM, Christopher Schultz wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Robedan, > > On 7/14/2010 1:29 PM, Robedan wrote: >>> Can you post all >>> active <Connector> elements from your conf/server.xml file? >> >> Attached. > > [inlined here:] > >> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" >> port="80" minProcessors="5" maxProcessors="75" enableLookups="true" >> redirectPort="443" acceptCount="100" debug="0" >> connectionTimeout="20000" useURIValidationHack="false" >> disableUploadTimeout="true"/> > > Okay, that's a standard HTTP connector. If the webapp demands a > transport-guarantee of CONFIDENTIAL or INTEGRAL, the connection should > be automatically upgraded by Tomcat by sending the client a redirect to > the same URL but with https:// and the redirectPort set above. So, if > you request http://host/myapp/foo.jsp, then Tomcat should redirect to > https://host/myapp/foo.jsp given the above configuration (use of the > default redirectPort of 443 does not result in :443 being added to the > end of the host portion, since it's the default). > > The above plus the <transport-guarantee> should be all you need. What is > your experience when you use these two settings together? > >> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" >> port="443" minProcessors="5" maxProcessors="75" enableLookups="true" >> acceptCount="100" debug="0" scheme="https" secure="true" >> useURIValidationHack="false" disableUploadTimeout="true"> >> [...] >> </Connector> > > Technically, the configuration of the HTTPS connector is not relevant: > Tomcat won't ever "downgrade" your connection for you. > >>> The web.xml file should be in >>> your webapp's deployment directory under WEB-INF/web.xml. >> >> I've tried it there, but with the same results. > > What were those results? Give us an example of a URL that should > redirect to a secure URL. Can you use wget or something similar to show > what the server interaction is? > >> This is the only application that will ever be on this server, so >> either should work, yes? > > Yes, either should work, but there's no reason to be sloppy, is there? > >>> Your vendor needs to get with the program and >>> start supporting a version of Tomcat that was written in the last 5 years. >> >> Amen! I may end up trying what you did, but I'm not familiar with Tomcat yet. >> I'm a quick study though... > > Is this a custom webapp that your company owns, or is this something > you've bought from someone else, and they refuse to support a newer > version of Tomcat? I would imagine that security and performance would > be goals worthy of their attention. Maybe they already have your money, > though ;) > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkw9+7QACgkQ9CaO5/Lv0PCN5wCggQeCkCZRUwbNg8zsKcXvRzPt > HAkAoIJz9mXkxJn3q9oXGQ5iTa25+weH > =6NBV > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org