you could use javascript on your non secure http page? <script language="javascript"> window.location = 'https://www.sitename.com' </script>
That would do the trick Stevie -----Original Message----- From: Steve Baker [mailto:[EMAIL PROTECTED]] Sent: 17 July 2002 13:02 To: [EMAIL PROTECTED] Subject: Redirecting HTTP -> HTTPS? (second attempt) ------------------------------------------------------------------ It appears that much of the code from my first post got wiped out. Trying the message again here a second time. Thanks. -SB ------------------------------------------------------------------ Have any of you experienced Tomcat changing the *domain name* of the request to "localhost" when you're trying to automatically redirect from HTTP to HTTPS? We know that it's supposed to change the protocol and the port, but the domain as well? Here's the situation: I have a directory ("db") on my site (for the sake of this email, "www.mysite.com") that I want to protect using SSL. Additionally, I need any wayward HTTP requests to this directory to be automatically redirected to HTTPS to ensure that they are SSL-encrypted. To set this up, I followed the SSL Configuration How-To, created the keystore, and generated a private key. I then edited /conf/server.xml and /WEB-INF/web.xml (details below) to automatically redirect those certain HTTP requests over to HTTPS. Finally, I restarted Tomcat. Now when I reference my HTTPS URL *directly*, SSL kicks in, the browser padlock is locked, and everything works great: https://www.mysite.com:8443/db/index.jsp As I stated, however, I've configured the HTTP request: http://www.mysite.com:8080/db/index.jsp To automatically redirect to that HTTPS URL from above: https://www.mysite.com:8443/db/index.jsp BUT, for some reason, Tomcat is changing the domain to LOCALHOST: https://localhost:8443/db/index.jsp So... basically, Tomcat's got it about 80% right. The protocol and port were succesfully redirected (http 8080 -> https 8443), but the domain was changed. This instance of Tomcat is on a remote machine, *NOT* my local machine, so localhost fails. My question -- why would Tomcat be changing the server name in such a way? FYI, here is the relevant code from conf/server.xml: --------------------------------- <!-- Non-SSL Connector on Port 8080 --> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8080" minProcessors="5" maxProcessors="75" enableLookups="false" redirectPort="8443" acceptCount="10" connectionTimeout="60000" debug="0" scheme="http" secure="false"/> <!-- SSL Connector on Port 8443 --> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="false" acceptCount="10" connectionTimeout="60000" debug="0" scheme="https" secure="true"> <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" /> </Connector> <!-- Standard Engine --> <Engine name="Standard Engine" defaultHost="www.mysite.com" debug="0"> <Host name="www.mysite.com" appBase="/home/baker/jbaker/web" debug="0" unpackWARs="false"> <Context path="" docBase="" debug="0" reloadable="true"/> </Host> </Engine> --------------------------------- Here is the relevant code from web.xml: --------------------------------- <security-constraint> <web-resource-collection> <web-resource-name>Secure SSL Access</web-resource-name> <url-pattern>/db/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> --------------------------------- Note that I have: * uncommented the SSL connector * properly set the HTTP connector's redirectPort to SSL's 8443 * changed the Engine's defaulthost to www.mysite.com * changed the Host's name to www.mysite.com * set the url-pattern match to /db/* in web.xml * added the CONFIDENTIAL transport-guarantee Nothing really extraordinary here. Moreover, a grep for "localhost" in both of these files returns zero results. I'm just not sure where it's coming from ... especially when Tomcat seems to be doing everything *else* correctly here. Any ideas? Thanks in advance!! -Steve Baker p.s. Performing a brute force solution such as: -------------------- if (request.getScheme().equals("http")) { // oops! response.Redirect() to the https URL instead. } -------------------- ... at the top of every .jsp in my HTTPS-only directory isn't going to be the right choice for this particular project. I will eventually employ that as a backup to ensure security, but I don't wish to go with that as my first line of defense... -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
