Hi,
I have a web site with a login page that has to be accessed using SSL so
that the password is not sent as clear text. The rest of the site is
non-SSL. My configuration worked with this combination: Tomcat 5.5.27;
Apache 2.0.58; JAVA 1.5.0_13 and, mod_jk (I'm not sure what version of
mod_jk but it's old). After upgrading to Tomcat 7.0.22; Apache 2.2.21;
JAVA 1.6.0_23; and tomcat jk connector version 1.2.32 I find my
application doesn't work the same. The problem is I never get past the
login page because whenever a redirect from port 8443 to port 8080 occurs
I get bumped back to the log in page. I can use the application if I stay
totally within SSL and I can use the application totally without SSL so I
think this is a configuration issue, I just don't know what needs to
change. I read the tomcat 7 SSL Configuration How-to and it says it's
"customary to only run certain pages under SSL" but I'm missing something
or have used a hole in the past that has now been plugged.
My web.xml is configured as follows:
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>App Security</display-name>
<web-resource-collection>
<web-resource-name>App Security</web-resource-name>
<description></description>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.do</url-pattern>
<url-pattern>*.html</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>person</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerr.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>All users who can login should be able to use this
application</description>
<role-name>person</role-name>
</security-role>
I created a certificate using the Java keystore and updated tomcat
server.xml
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/security/.keystore"
keystorePass="appcertkey" keyAlias="keyalias"/>
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Index.html redirects the user from https to http.
Any suggestions would be appreciated.
Regards,
Janet
