Saturday, November 23, 2013

Force Redirection of HTTP to SSL in Tomcat

If you have a particular app within Tomcat that you want to restrict to SSL access, this can be accomplished with a couple edits.

web.xml file (located in the WEB-INF director under the specific app directory)

1.  Add a user-data-constraint under the security-constraint directive.

<security-constraint>
      <web-resource-collection>
        <web-resource-name>
              REST calls
        </web-resource-name>
        <url-pattern>/*</url-pattern>
     </web-resource-collection>
      <auth-constraint>
          <role-name>myrole</role-name>
      </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>

  </security-constraint>



server.xml file (located in the conf directory within your tomcat instance)

Scenario 1:  Tomcat is acting as the web server, in addition to being the servlet container.

1.  server.xml:  Set the redirectPort property on the Connector directive that specifies where Tomcat is listening for HTTP traffic.  Here, Tomcat is listening on 8080 for HTTP traffic and has a redirectPort of 8443.
    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />


2.  server.xml:  Add a Connector directive for SSL with same port you specified in Step 1.

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
             keystoreFile="/etc/ssl/tomcat/keystore.jks" keystorePass="password"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" /> 



Scenario 2:  Tomcat is only acting as a servlet container.  Apache httpd (or other flavor) is acting as the web server.

1. server.xml:  Set the redirectPort property on the Connector directive where Tomcat is listening for AJP calls (in Apache httpd - the modJk module acts as the connector to Tomcat).  Here we're setting the redirectPort to where Apache httpd is configured for SSL.

 <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8909" protocol="AJP/1.3" redirectPort="443" />




No comments:

Post a Comment