RE: SSL Redirect problem
Thomas, I did your quick test, and I can confirm what you thought. If I configure Tomcat with the default port for http (80) and https (443), it works ! So it's an IE bug. Anyway, it will be a known bug ! Thank you. Richard. -Message d'origine- De : Mark Thomas [mailto:[EMAIL PROTECTED] Envoye : dimanche 21 novembre 2004 17:28 A : 'Tomcat Users List' Objet : RE: SSL Redirect problem Sounds like an IE bug. I suspect IE is sending the wrong port information at some point in the redirect from http to https. To confirm this you'll need to look at the http headers going back and forth. One quick test would be to configure tomcat for the default ports (80 for http and 443 for https). If you use the default ports IE doesn't send any port info and hence doesn't send the wrong port info. Mark -Original Message- From: Richard HALLIER [mailto:[EMAIL PROTECTED] Sent: Sunday, November 21, 2004 3:30 PM To: Tomcat Users List Subject: SSL Redirect problem Hi, I'd like to submit a weird problem that occurs with the following configuration : - Server Tomcat 5.0.28 - https connector activated with client authentification - Browser IE v6 sp2 with client certificate installed - Browser FireFox 1.0final with client certificate installed Sequence under Firefox : - Connection to http://localhost:8080/mywebapp - SSL server part OK - SSL client authentification OK - Displayed url in the browser : https://localhost:8443/mywebapp - Webapp displayed Sequence under IE : - Connection to http://localhost:8080/mywebapp - SSL server part OK - SSL client authentification : timeout Sequence under IE : - Connection to https://localhost:8443/mywebapp - SSL server part OK - SSL client authentification OK - Webapp displayed I cant resolve my problem ! I'm lost, have you any pointers ? Any help appreciated ! Thank you. Richard - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL Redirect problem
Hi, I'd like to submit a weird problem that occurs with the following configuration : - Server Tomcat 5.0.28 - https connector activated with client authentification - Browser IE v6 sp2 with client certificate installed - Browser FireFox 1.0final with client certificate installed Sequence under Firefox : - Connection to http://localhost:8080/mywebapp - SSL server part OK - SSL client authentification OK - Displayed url in the browser : https://localhost:8443/mywebapp - Webapp displayed Sequence under IE : - Connection to http://localhost:8080/mywebapp - SSL server part OK - SSL client authentification : timeout Sequence under IE : - Connection to https://localhost:8443/mywebapp - SSL server part OK - SSL client authentification OK - Webapp displayed I cant resolve my problem ! I'm lost, have you any pointers ? Any help appreciated ! Thank you. Richard - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL
Really great ! Thank you a lot for your help ! Richard -Message d'origine- De : Carl Olivier [mailto:[EMAIL PROTECTED] Envoyé : vendredi 19 novembre 2004 07:10 À : Tomcat Users List Objet : RE: SSL Alternatively, if you wish to accept HTTP connections, but redirect (forced to https) you could add a security-constraint to your webapps /WEB-INF/web.xml - before the /web-app: security-constraint web-resource-collection web-resource-nameHTTP to HTTPS redirection/web-resource-name url-pattern/*/url-pattern /web-resource-collection user-data-constraint transport-guarantee CONFIDENTIAL /transport-guarantee /user-data-constraint /security-constraint Thus, both the http and https connectors can exist in the same Service - where you web app host lives, but the WEBAPP ITSELF will ensure that even http requests to it will be redirected to https. Be sure to specify the correct redirectPort attribute in your HTTP connector - to 443 or 8443 depending on what port your HTTPS connector listens on. Thus, people can request your site/webapp using http - but will be redirected to https immediately for all requests. Hope that helps. Carl -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Thursday, November 18, 2004 7:53 PM To: Tomcat Users List Subject: RE: SSL Hi, Yeah, reorganize your server.xml into two engines, with one connector and webapp each. One engine will have the SSL connector and webapp, and the other engine will have the non-SSL connector and webapp. Yoav Shapira http://www.yoavshapira.com -Original Message- From: Richard HALLIER [mailto:[EMAIL PROTECTED] Sent: Thursday, November 18, 2004 12:42 PM To: Tomcat Users List Subject: RE: SSL Thank you for your reply, but I've omitted to say that I have another webapp that is non-ssl, so I must have the two connectors (http, https) up. Do you have a solution ? Really thank you for your help. Richard -Message d'origine- De : Shapira, Yoav [mailto:[EMAIL PROTECTED] Envoye : jeudi 18 novembre 2004 18:09 A : Tomcat Users List Objet : RE: SSL Hi, Comment out the non-SSL connector element in server.xml. Yoav Shapira http://www.yoavshapira.com -Original Message- From: Richard HALLIER [mailto:[EMAIL PROTECTED] Sent: Thursday, November 18, 2004 12:02 PM To: tomcat mailing-list Subject: SSL Hi everybody, Sorry if this question has been already asked, but i didnt find any pointers in the archive. I'm in the following context : Tomcat 5.0.x, Connector SSL active. I'd like to prevent everybody from using my webapp with the HTTP protocol, in fact I'd like to restrict access to my webapp only to the https protocol. For the moment and with a standard configuration, I can access my webapp from http and https protocol ... Thank you for your help. Richard - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL
Is there a means to write this security constraint at the context definition level ? Richard -Message d'origine- De : Carl Olivier [mailto:[EMAIL PROTECTED] Envoyé : vendredi 19 novembre 2004 07:10 À : Tomcat Users List Objet : RE: SSL Alternatively, if you wish to accept HTTP connections, but redirect (forced to https) you could add a security-constraint to your webapps /WEB-INF/web.xml - before the /web-app: security-constraint web-resource-collection web-resource-nameHTTP to HTTPS redirection/web-resource-name url-pattern/*/url-pattern /web-resource-collection user-data-constraint transport-guarantee CONFIDENTIAL /transport-guarantee /user-data-constraint /security-constraint Thus, both the http and https connectors can exist in the same Service - where you web app host lives, but the WEBAPP ITSELF will ensure that even http requests to it will be redirected to https. Be sure to specify the correct redirectPort attribute in your HTTP connector - to 443 or 8443 depending on what port your HTTPS connector listens on. Thus, people can request your site/webapp using http - but will be redirected to https immediately for all requests. Hope that helps. Carl -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Thursday, November 18, 2004 7:53 PM To: Tomcat Users List Subject: RE: SSL Hi, Yeah, reorganize your server.xml into two engines, with one connector and webapp each. One engine will have the SSL connector and webapp, and the other engine will have the non-SSL connector and webapp. Yoav Shapira http://www.yoavshapira.com -Original Message- From: Richard HALLIER [mailto:[EMAIL PROTECTED] Sent: Thursday, November 18, 2004 12:42 PM To: Tomcat Users List Subject: RE: SSL Thank you for your reply, but I've omitted to say that I have another webapp that is non-ssl, so I must have the two connectors (http, https) up. Do you have a solution ? Really thank you for your help. Richard -Message d'origine- De : Shapira, Yoav [mailto:[EMAIL PROTECTED] Envoye : jeudi 18 novembre 2004 18:09 A : Tomcat Users List Objet : RE: SSL Hi, Comment out the non-SSL connector element in server.xml. Yoav Shapira http://www.yoavshapira.com -Original Message- From: Richard HALLIER [mailto:[EMAIL PROTECTED] Sent: Thursday, November 18, 2004 12:02 PM To: tomcat mailing-list Subject: SSL Hi everybody, Sorry if this question has been already asked, but i didnt find any pointers in the archive. I'm in the following context : Tomcat 5.0.x, Connector SSL active. I'd like to prevent everybody from using my webapp with the HTTP protocol, in fact I'd like to restrict access to my webapp only to the https protocol. For the moment and with a standard configuration, I can access my webapp from http and https protocol ... Thank you for your help. Richard - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL
Thank you a lot Carl Richard -Message d'origine- De : Carl Olivier [mailto:[EMAIL PROTECTED] Envoyé : vendredi 19 novembre 2004 13:19 À : Tomcat Users List Objet : RE: SSL Those examples again - did not come out too great! security-constraint web-resource-collection web-resource-nameHTTP to HTTPS redirection/web-resource-name url-pattern/shopping/*/url-pattern /web-resource-collection user-data-constraint transport-guarantee CONFIDENTIAL /transport-guarantee /user-data-constraint /security-constraint security-constraint web-resource-collection web-resource-nameHTTP to HTTPS redirection/web-resource-name url-pattern/payment/*/url-pattern /web-resource-collection user-data-constraint transport-guarantee CONFIDENTIAL /transport-guarantee /user-data-constraint /security-constraint -Original Message- From: Carl Olivier [mailto:[EMAIL PROTECTED] Sent: Friday, November 19, 2004 2:11 PM To: Tomcat Users List Subject: RE: SSL Well, not at the definition entry itself, but you can modify the security-contraint url-pattern to only force the redirection under certain contexts. You can also have multiple security-constraint entries. For example: security-constraint web-resource-collection web-resource-nameHTTP to HTTPS redirection/web-resource-name url-pattern/shopping/*/url-pattern - only requests under the /shopping/ context /web-resource-collection user-data-constraint transport-guarantee CONFIDENTIAL /transport-guarantee /user-data-constraint /security-constraint security-constraint web-resource-collection web-resource-nameHTTP to HTTPS redirection/web-resource-name url-pattern/payment/*/url-pattern - or under the /payment/ context /web-resource-collection user-data-constraint transport-guarantee CONFIDENTIAL /transport-guarantee /user-data-constraint /security-constraint Hope that helps. Carl -Original Message- From: Richard HALLIER [mailto:[EMAIL PROTECTED] Sent: Friday, November 19, 2004 12:38 PM To: Tomcat Users List Subject: RE: SSL Is there a means to write this security constraint at the context definition level ? Richard -Message d'origine- De : Carl Olivier [mailto:[EMAIL PROTECTED] Envoyé : vendredi 19 novembre 2004 07:10 À : Tomcat Users List Objet : RE: SSL Alternatively, if you wish to accept HTTP connections, but redirect (forced to https) you could add a security-constraint to your webapps /WEB-INF/web.xml - before the /web-app: security-constraint web-resource-collection web-resource-nameHTTP to HTTPS redirection/web-resource-name url-pattern/*/url-pattern /web-resource-collection user-data-constraint transport-guarantee CONFIDENTIAL /transport-guarantee /user-data-constraint /security-constraint Thus, both the http and https connectors can exist in the same Service - where you web app host lives, but the WEBAPP ITSELF will ensure that even http requests to it will be redirected to https. Be sure to specify the correct redirectPort attribute in your HTTP connector - to 443 or 8443 depending on what port your HTTPS connector listens on. Thus, people can request your site/webapp using http - but will be redirected to https immediately for all requests. Hope that helps. Carl -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Thursday, November 18, 2004 7:53 PM To: Tomcat Users List Subject: RE: SSL Hi, Yeah, reorganize your server.xml into two engines, with one connector and webapp each. One engine will have the SSL connector and webapp, and the other engine will have the non-SSL connector and webapp. Yoav Shapira http://www.yoavshapira.com -Original Message- From: Richard HALLIER [mailto:[EMAIL PROTECTED] Sent: Thursday, November 18, 2004 12:42 PM To: Tomcat Users List Subject: RE: SSL Thank you for your reply, but I've omitted to say that I have another webapp that is non-ssl, so I must have the two connectors (http, https) up. Do you have a solution ? Really thank you
SSL
Hi everybody, Sorry if this question has been already asked, but i didnt find any pointers in the archive. I'm in the following context : Tomcat 5.0.x, Connector SSL active. I'd like to prevent everybody from using my webapp with the HTTP protocol, in fact I'd like to restrict access to my webapp only to the https protocol. For the moment and with a standard configuration, I can access my webapp from http and https protocol ... Thank you for your help. Richard - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL
Thank you for your reply, but I've omitted to say that I have another webapp that is non-ssl, so I must have the two connectors (http, https) up. Do you have a solution ? Really thank you for your help. Richard -Message d'origine- De : Shapira, Yoav [mailto:[EMAIL PROTECTED] Envoye : jeudi 18 novembre 2004 18:09 A : Tomcat Users List Objet : RE: SSL Hi, Comment out the non-SSL connector element in server.xml. Yoav Shapira http://www.yoavshapira.com -Original Message- From: Richard HALLIER [mailto:[EMAIL PROTECTED] Sent: Thursday, November 18, 2004 12:02 PM To: tomcat mailing-list Subject: SSL Hi everybody, Sorry if this question has been already asked, but i didnt find any pointers in the archive. I'm in the following context : Tomcat 5.0.x, Connector SSL active. I'd like to prevent everybody from using my webapp with the HTTP protocol, in fact I'd like to restrict access to my webapp only to the https protocol. For the moment and with a standard configuration, I can access my webapp from http and https protocol ... Thank you for your help. Richard - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]