Robedan,
I recall that we started doing the following in Tomcat 4.1:
In the webapps WEB-INF/web.xml we inserted the following right before
</web-app>:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This forced http:// requests to be https:// for that webapps.
I hope it works for you
Regards,
Dave
On Jul 14, 2010, at 11:02 AM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Robedan,
>
> On 7/14/2010 1:29 PM, Robedan wrote:
>>> Can you post all
>>> active <Connector> elements from your conf/server.xml file?
>>
>> Attached.
>
> [inlined here:]
>
>> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
>> port="80" minProcessors="5" maxProcessors="75" enableLookups="true"
>> redirectPort="443" acceptCount="100" debug="0"
>> connectionTimeout="20000" useURIValidationHack="false"
>> disableUploadTimeout="true"/>
>
> Okay, that's a standard HTTP connector. If the webapp demands a
> transport-guarantee of CONFIDENTIAL or INTEGRAL, the connection should
> be automatically upgraded by Tomcat by sending the client a redirect to
> the same URL but with https:// and the redirectPort set above. So, if
> you request http://host/myapp/foo.jsp, then Tomcat should redirect to
> https://host/myapp/foo.jsp given the above configuration (use of the
> default redirectPort of 443 does not result in :443 being added to the
> end of the host portion, since it's the default).
>
> The above plus the <transport-guarantee> should be all you need. What is
> your experience when you use these two settings together?
>
>> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
>> port="443" minProcessors="5" maxProcessors="75" enableLookups="true"
>> acceptCount="100" debug="0" scheme="https" secure="true"
>> useURIValidationHack="false" disableUploadTimeout="true">
>> [...]
>> </Connector>
>
> Technically, the configuration of the HTTPS connector is not relevant:
> Tomcat won't ever "downgrade" your connection for you.
>
>>> The web.xml file should be in
>>> your webapp's deployment directory under WEB-INF/web.xml.
>>
>> I've tried it there, but with the same results.
>
> What were those results? Give us an example of a URL that should
> redirect to a secure URL. Can you use wget or something similar to show
> what the server interaction is?
>
>> This is the only application that will ever be on this server, so
>> either should work, yes?
>
> Yes, either should work, but there's no reason to be sloppy, is there?
>
>>> Your vendor needs to get with the program and
>>> start supporting a version of Tomcat that was written in the last 5 years.
>>
>> Amen! I may end up trying what you did, but I'm not familiar with Tomcat yet.
>> I'm a quick study though...
>
> Is this a custom webapp that your company owns, or is this something
> you've bought from someone else, and they refuse to support a newer
> version of Tomcat? I would imagine that security and performance would
> be goals worthy of their attention. Maybe they already have your money,
> though ;)
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkw9+7QACgkQ9CaO5/Lv0PCN5wCggQeCkCZRUwbNg8zsKcXvRzPt
> HAkAoIJz9mXkxJn3q9oXGQ5iTa25+weH
> =6NBV
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
