I've just installed TC 5.5.12 and have configured it to allow for HTTPS
with the standard test port of 8443 and the redirect port on the 8080
connector pointing to it.
Then, in the server/webapps/manager/WEB-INF/web.xml file, I added the
following lines below the security constraint that comes with the webapp:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire manager app</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
The intent was that any URL coming into /manager/* would require SSL.
It does seem to try to redirect, but there appears to be some sort of
issue with that and the basic auth that comes with the manager app by
default. It appears to prompt me for my username and password before it
goes into SSL mode, so my basic auth is not protected. If I use the
https link directly, all seems to work fine.
In fact, when I first use the http link, it prompts me for a
username+password. I enter the correct values to login. Then (because
I've got a self-signed test cert) the browser brings up a warning about
the cert, along with a second basic auth prompt for username+password.
I enter the correct values again. But it then seems to leave my browser
on the insecure connection rather than the https one.
Is there a bug with CONFIDENTIAL/https and the basic auth routines? It
seems that the security constraint needs to take place with a redirect
before anything is returned to the browser to request the basic auth.
Or is there something I've just not configured correctly yet?
Thanks,
David
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
