« Updating MS DNS using LDAP commands.Tomcat LDAP authentication »

Tomcat and SSL redirection

Let’s first take a picture of the installation:
I’m still working with the CentOS 4.5 server and Tomcat 6.0.13.
Neither Apache nor any other web services are running on the server, so Tomcat will be assigned to port 80 for http protocol and 443 for https.
The aim of this post is to see how to automatically redirect from http (port 80) to https (port 443) when accessing a specific tomcat application. (This will, for instance, allow to get a secured authentication).

1/ Configure the tomcat server

Here is the configuration ($CATALINA_HOME/conf/server.xml) to have Tomcat server listening on the port 80. The redirectPort option is the port that will be used when redirecting from http to https.

<Connector port="80" protocol="HTTP/1.1" 
           connectionTimeout="20000" 
           redirectPort="443" />

To make Tomcat listen on the port 443, with a SSL transport, the following needs to be configured in the server.xml file:

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
          maxThreads="150" scheme="https" secure="true"
          clientAuth="false" sslProtocol="TLS" 
          keystoreFile="/opt/apache-tomcat-6.0.13/.keystore"
          keystorePass="password"/>

The keystore file is created as follow:

root@server:~/$JAVA_HOME/bin/keytool -genkey -alias virtualhostname \
-keyalg RSA -keystore /opt/apache-tomcat-6.0.13/.keystore

Follow up:

2/ Configure the tomcat application
Add the following in the $CATALINA_HOME/webapps/yourapplication/WEB-INF/web.xml in the <security-constraint> tag:

   <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
   </user-data-constraint>

This forces to switch from http to https, using a secure protocol.
The web.xml file shown in the previous post looks as follow:

   
<security-constraint>
   <display-name>Security Constraint</display-name>
   <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <!-- Define the context-relative URL(s) to be protected -->
      <url-pattern>/*</url-pattern>
      <!-- If you list http methods, only those methods are protected -->
   </web-resource-collection>
   <auth-constraint>
      <!-- Anyone with one of the listed roles may access this area -->
      <role-name>source</role-name>
   </auth-constraint>
   <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
   </user-data-constraint>
</security-constraint>

<!-- Default login configuration uses form-based authentication -->
<login-config>
   <auth-method>FORM</auth-method>
   <realm-name>Form-Based Authentication Area</realm-name>
   <form-login-config>
     <form-login-page>/security/protected/index.jsp</form-login-page>
     <form-error-page>/security/protected/error.jsp</form-error-page>
   </form-login-config>
</login-config>

<!-- Security roles referenced by this web application -->
<security-role>
   <role-name>source</role-name>
</security-role>

3/ To conclude
With this configuration, you can create a Tomcat application that will automatically be secured, even if accessing it using http://server/application URL. You’ll be automatically redirected to https://server/apllication

This entry was posted on November 15th, 2007 at 02:49:45 pm and is filed under Linux, Unix.

2 comments

Comment from: Matt Trinneer [Visitor] · http://thespohtexperiment.blogspot.com
Thanks for the tutorial. Came in handy to me. I appreciate you taking the time to put it together.
02/24/09 @ 15:45
Comment from: raul [Visitor]
Very helpful. I have started my secure site.
thanks
11/25/09 @ 00:21

Leave a comment


Your email address will not be revealed on this site.

Your URL will be displayed.
(Line breaks become <br />)
(Name, email & website)
(Allow users to contact you through a message form (your email will not be revealed.)