Re: AW: How to redirect http to https automatically?
Hello, I believe all but your third example is correct. I am pretty sure that a cookie set for www.domaina.com will be sent to that same domain if it's in http or https. However, if the cookie is marked as secure, it will only be sent under https. This is what has caused the problem. I still don't know why the Tomcat team decided to take out the configurable option of forcing session cookies that were created under https to be secure or not. (I understand that it makes a good default, from a security point of view. But for those that are aware of the security implications, we no longer have the option to turn it off.) This has caused a problem for many people, and has come up in numerous threads since this change was made in the Tomcat 4.x line. (Or perhaps, the configurable option was added to the 3.x line, and never added to the 4.x and 5.x lines?) http://www.junlu.com/msg/49789.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg83724.html http://archives.real-time.com/pipermail/tomcat-devel/2001-October/024544.html Thanks, -Raiden Johnson On Sat, 16 Oct 2004, Steffen Heil wrote: Hi Actually, I'm a big advocate against staying in HTTPS, because of the overhead. However, this is a problem with Tomcat, because in the 4.x and 5.x lines it was decided by someone that if a session started in HTTPS it is only valid in HTTPS (basically, the session cookie is turned into a secure cookie only). I do not understand this. I always thought cookies where only valid for ONE domain and ONE Protocol, so the following would be pairwise different and thus cannot share a cookie: http://www.domaina.com http://www.domainb.com http://www.domaina.com http://domainb.com http://www.domaina.com https://www.domaina.com Is my view wrong? Is there a way to reattach a session to a request, if the old sessionID is kown? Regards, Steffen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: How to redirect http to https automatically?
Hi Actually, I'm a big advocate against staying in HTTPS, because of the overhead. However, this is a problem with Tomcat, because in the 4.x and 5.x lines it was decided by someone that if a session started in HTTPS it is only valid in HTTPS (basically, the session cookie is turned into a secure cookie only). I do not understand this. I always thought cookies where only valid for ONE domain and ONE Protocol, so the following would be pairwise different and thus cannot share a cookie: http://www.domaina.com http://www.domainb.com http://www.domaina.com http://domainb.com http://www.domaina.com https://www.domaina.com Is my view wrong? Is there a way to reattach a session to a request, if the old sessionID is kown? Regards, Steffen smime.p7s Description: S/MIME cryptographic signature
Re: How to redirect http to https automatically?
I don't know the answer to that. It's unlikely, though. You could put something like Apache in the front and use URL rewriting, which can basically force any URL with a given pattern to be redirected, either forcing HTTP or HTTPS and doing the redirect only when the scheme is not what you want. In general, though, when you know you are shifting between secure and insecure, you should perhaps create URLs that make this explicit. In general, you enter a secure mode when starting a secure set of transactions, and then switch back when you are done. Of course, you could just stay with HTTPS once they enter secure mode since securing the communications may have overhead, but it adds privacy. David - Original Message - From: Antony Paul [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED]; David Wall [EMAIL PROTECTED] Sent: Thursday, October 14, 2004 9:42 PM Subject: Re: How to redirect http to https automatically? Is it possible to switch from https to http using this kind of configuration ? I tried with NONE for user constraint but it still remains in https. rgds Antony Paul On Thu, 14 Oct 2004 08:40:31 -0700, David Wall [EMAIL PROTECTED] wrote: This is part of the servlet specs. In your WEB-INF/web.xml file, you need a security constraint that says the site should be secure, something like: security-constraint web-resource-collection web-resource-nameEntire site/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint The confidential keyword ensures that the webapp will require https, so if you try to get it via http, then the redirect stuff specifed in your server.xml will be applied. David - Original Message - From: Won Sim [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 13, 2004 8:13 AM Subject: How to redirect http to https automatically? I set redirectPort attribute to 443, which is my SSL connector port number, from port 80 connector in the server.xml. This doesn't redirect http to https automatically. In other words, I still can access the application via http://server/myapp. I want to know how to redirect http to https automatically so when I enter http://server/myapp, Tomcat redirects to htts://server/myapp. I am using Tomcat 4.1.30. Thanks in advance. Won. _ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to redirect http to https automatically?
Actually, I'm a big advocate against staying in HTTPS, because of the overhead. However, this is a problem with Tomcat, because in the 4.x and 5.x lines it was decided by someone that if a session started in HTTPS it is only valid in HTTPS (basically, the session cookie is turned into a secure cookie only). There have been threads on this in the past, where myself and others asked why this behavior was changed in Tomcat 4.x and Tomcat 5.x (there used to be an option as to whether or not the sessions would be secure only if they were started in HTTPS), and the general consensus seemed to be that it was best to do it this way so developers don't make mistakes. In general, with other application servers, if you're switching between HTTP and HTTPS, you just have to make sure that: 1. Any page that requires privacy is in HTTPS 2. That you drop a secure cookie under HTTPS the first time someone logs in, so that that cookie is only returned when they view HTTPS pages. That will protect them from being session hijacked. (They can still be session hijacked using their jsessionid on HTTP pages, but that is always the case. But, noone will be able to view their HTTPS pages using the jsessionid unless they also have that secure cookie.) As it stands, each time a new version of Tomcat comes out, I have to hack away at the connector code to turn off the forced HTTPS session behavior. I haven't felt competent enough to submit a patch to the Tomcat code to try and restore the 3.x option for this, but hopefully I will soon. =P Thanks, -Raiden Johnson On Fri, 15 Oct 2004, David Wall wrote: I don't know the answer to that. It's unlikely, though. You could put something like Apache in the front and use URL rewriting, which can basically force any URL with a given pattern to be redirected, either forcing HTTP or HTTPS and doing the redirect only when the scheme is not what you want. In general, though, when you know you are shifting between secure and insecure, you should perhaps create URLs that make this explicit. In general, you enter a secure mode when starting a secure set of transactions, and then switch back when you are done. Of course, you could just stay with HTTPS once they enter secure mode since securing the communications may have overhead, but it adds privacy. David - Original Message - From: Antony Paul [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED]; David Wall [EMAIL PROTECTED] Sent: Thursday, October 14, 2004 9:42 PM Subject: Re: How to redirect http to https automatically? Is it possible to switch from https to http using this kind of configuration ? I tried with NONE for user constraint but it still remains in https. rgds Antony Paul On Thu, 14 Oct 2004 08:40:31 -0700, David Wall [EMAIL PROTECTED] wrote: This is part of the servlet specs. In your WEB-INF/web.xml file, you need a security constraint that says the site should be secure, something like: security-constraint web-resource-collection web-resource-nameEntire site/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint The confidential keyword ensures that the webapp will require https, so if you try to get it via http, then the redirect stuff specifed in your server.xml will be applied. David - Original Message - From: Won Sim [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 13, 2004 8:13 AM Subject: How to redirect http to https automatically? I set redirectPort attribute to 443, which is my SSL connector port number, from port 80 connector in the server.xml. This doesn't redirect http to https automatically. In other words, I still can access the application via http://server/myapp. I want to know how to redirect http to https automatically so when I enter http://server/myapp, Tomcat redirects to htts://server/myapp. I am using Tomcat 4.1.30. Thanks in advance. Won. _ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
Re: How to redirect http to https automatically?
This is part of the servlet specs. In your WEB-INF/web.xml file, you need a security constraint that says the site should be secure, something like: security-constraint web-resource-collection web-resource-nameEntire site/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint The confidential keyword ensures that the webapp will require https, so if you try to get it via http, then the redirect stuff specifed in your server.xml will be applied. David - Original Message - From: Won Sim [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 13, 2004 8:13 AM Subject: How to redirect http to https automatically? I set redirectPort attribute to 443, which is my SSL connector port number, from port 80 connector in the server.xml. This doesn't redirect http to https automatically. In other words, I still can access the application via http://server/myapp. I want to know how to redirect http to https automatically so when I enter http://server/myapp, Tomcat redirects to htts://server/myapp. I am using Tomcat 4.1.30. Thanks in advance. Won. _ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to redirect http to https automatically?
Is it possible to switch from https to http using this kind of configuration ? I tried with NONE for user constraint but it still remains in https. rgds Antony Paul On Thu, 14 Oct 2004 08:40:31 -0700, David Wall [EMAIL PROTECTED] wrote: This is part of the servlet specs. In your WEB-INF/web.xml file, you need a security constraint that says the site should be secure, something like: security-constraint web-resource-collection web-resource-nameEntire site/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint The confidential keyword ensures that the webapp will require https, so if you try to get it via http, then the redirect stuff specifed in your server.xml will be applied. David - Original Message - From: Won Sim [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 13, 2004 8:13 AM Subject: How to redirect http to https automatically? I set redirectPort attribute to 443, which is my SSL connector port number, from port 80 connector in the server.xml. This doesn't redirect http to https automatically. In other words, I still can access the application via http://server/myapp. I want to know how to redirect http to https automatically so when I enter http://server/myapp, Tomcat redirects to htts://server/myapp. I am using Tomcat 4.1.30. Thanks in advance. Won. _ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]