Hi, I have a web site with a login page that has to be accessed using SSL so that the password is not sent as clear text. The rest of the site is non-SSL. My configuration worked with this combination: Tomcat 5.5.27; Apache 2.0.58; JAVA 1.5.0_13 and, mod_jk (I'm not sure what version of mod_jk but it's old). After upgrading to Tomcat 7.0.22; Apache 2.2.21; JAVA 1.6.0_23; and tomcat jk connector version 1.2.32 I find my application doesn't work the same. The problem is I never get past the login page because whenever a redirect from port 8443 to port 8080 occurs I get bumped back to the log in page. I can use the application if I stay totally within SSL and I can use the application totally without SSL so I think this is a configuration issue, I just don't know what needs to change. I read the tomcat 7 SSL Configuration How-to and it says it's "customary to only run certain pages under SSL" but I'm missing something or have used a hole in the past that has now been plugged.
My web.xml is configured as follows: <welcome-file-list> <welcome-file>index.html</welcome-file> </welcome-file-list> <security-constraint> <display-name>App Security</display-name> <web-resource-collection> <web-resource-name>App Security</web-resource-name> <description></description> <url-pattern>*.jsp</url-pattern> <url-pattern>*.do</url-pattern> <url-pattern>*.html</url-pattern> <http-method>GET</http-method> <http-method>PUT</http-method> <http-method>POST</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <description></description> <role-name>person</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/loginerr.jsp</form-error-page> </form-login-config> </login-config> <security-role> <description>All users who can login should be able to use this application</description> <role-name>person</role-name> </security-role> I created a certificate using the Java keystore and updated tomcat server.xml <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/security/.keystore" keystorePass="appcertkey" keyAlias="keyalias"/> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> Index.html redirects the user from https to http. Any suggestions would be appreciated. Regards, Janet