Re: HTTPS securing of manager web app and basic authentication

[David Wall]

Discovered my problem with adding a second security-constraint as shown 
below.  After just putting the user-data-constraint element to the 
previous security-constraint did the trick.

Thanks,
David

David Wall wrote:

I've just installed TC 5.5.12 and have configured it to allow for 
HTTPS with the standard test port of 8443 and the redirect port on the 
8080 connector pointing to it.

Then, in the server/webapps/manager/WEB-INF/web.xml file, I added the 
following lines below the security constraint that comes with the webapp:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Entire manager app</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
  </web-resource-collection>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

The intent was that any URL coming into /manager/* would require SSL.  
It does seem to try to redirect, but there appears to be some sort of 
issue with that and the basic auth that comes with the manager app by 
default.  It appears to prompt me for my username and password before 
it goes into SSL mode, so my basic auth is not protected.  If I use 
the https link directly, all seems to work fine.
In fact, when I first use the http link, it prompts me for a 
username+password.  I enter the correct values to login.  Then 
(because I've got a self-signed test cert) the browser brings up a 
warning about the cert, along with a second basic auth prompt for 
username+password.  I enter the correct values again.  But it then 
seems to leave my browser on the insecure connection rather than the 
https one.

Is there a bug with CONFIDENTIAL/https and the basic auth routines?  
It seems that the security constraint needs to take place with a 
redirect before anything is returned to the browser to request the 
basic auth.  Or is there something I've just not configured correctly 
yet?

Thanks,
David

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]