Saturday, November 23, 2013

Force Redirection of HTTP to SSL in Tomcat

If you have a particular app within Tomcat that you want to restrict to SSL access, this can be accomplished with a couple edits.

web.xml file (located in the WEB-INF director under the specific app directory)

1.  Add a user-data-constraint under the security-constraint directive.

              REST calls


server.xml file (located in the conf directory within your tomcat instance)

Scenario 1:  Tomcat is acting as the web server, in addition to being the servlet container.

1.  server.xml:  Set the redirectPort property on the Connector directive that specifies where Tomcat is listening for HTTP traffic.  Here, Tomcat is listening on 8080 for HTTP traffic and has a redirectPort of 8443.
    <Connector port="8080" protocol="HTTP/1.1"
               redirectPort="8443" />

2.  server.xml:  Add a Connector directive for SSL with same port you specified in Step 1.

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
             keystoreFile="/etc/ssl/tomcat/keystore.jks" keystorePass="password"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" /> 

Scenario 2:  Tomcat is only acting as a servlet container.  Apache httpd (or other flavor) is acting as the web server.

1. server.xml:  Set the redirectPort property on the Connector directive where Tomcat is listening for AJP calls (in Apache httpd - the modJk module acts as the connector to Tomcat).  Here we're setting the redirectPort to where Apache httpd is configured for SSL.

 <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8909" protocol="AJP/1.3" redirectPort="443" />

No comments:

Post a Comment