6

I recently configured tomcat 6 with SSL and client authentication, but the only way I could do it was modifying server configuration files (web.xml, server.xml). But as I don't have full control over the deployment server, I would like to configure everything just for some pages or url-patterns of my application without modifying the main configuration files.

For example: Main server:

  • Application1 -> HTTP
  • Application2 -> HTTP
  • MyApplication -> HTTPS

If somebody knows how to do it, please tell me.

Timoteo Ponce
  • 510
  • 9
  • 27

2 Answers2

10

The only way to get https going is to write the appropriate connector on the server.xml file under the <service> tag. Once you setup the connector you can access all applications in the server with http or https. The only difference is what connector gets used. Typically the connectors for http and https look like these:

<Connector port="80" protocol="HTTP/1.1"
           maxThreads="150" connectionTimeout="20000"
           redirectPort="443"
           URIEncoding="UTF-8" compression="on"/>

<Connector port="443" protocol="HTTP/1.1"
           maxThreads="150" connectionTimeout="20000"
           SSLEnabled="true" scheme="https" secure="true"
           keystoreFile="conf/.keystore"
           keystorePass="changeit"
           clientAuth="false" sslProtocol="TLS"
           URIEncoding="UTF-8" compression="on"/>

You can then force your application to always use https by adding the transport-guarantee tag to web.xml which ends up something like this:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Administrators</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>Administrators</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

You can change the transport-guarantee for the different web resources you define. Thus allowing you to protect certain parts of the site and not others.

At the very end having the connector in server.xml does not force you yo use https for all applications. It only allows the use of the https connector.

Ricardo Marimon
  • 10,339
  • 9
  • 52
  • 59
  • Thanks for the descriptive answer, for me it seems the way to go. – Timoteo Ponce Nov 26 '10 at 13:34
  • Just something else, will this web.xml configuration activate the client authentication?. Because I see 'clientAuth="false"' in server.xml configuration. – Timoteo Ponce Nov 26 '10 at 14:26
  • The client authentication goes into effect when you make `CONFIDENTIAL`. You can have https without client authentication. Take a look http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html for further comments. – Ricardo Marimon Nov 28 '10 at 06:55
  • Just want to add that the `web.xml` being referred in "adding the `transport-guarantee` tag to `web.xml`" is the one present at `/webapps/MyApplication/WEB-INF` and not the one at `/conf`. – nu_popli Jun 29 '22 at 19:22
-1

In addition to @rmarimon's answer, If you dont want to change server.xml, you would have to write a Filter to check for your application URLs and redirect back to http/https as appropriate.

However, a Filter would still require a definition and <filter-mapping> in web.xml

JoseK
  • 31,141
  • 14
  • 104
  • 131