-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Duncan,
On 12/18/14 4:18 AM, Lyallex wrote: > On 17 December 2014 at 22:37, Christopher Schultz > <ch...@christopherschultz.net> wrote: Duncan, > > On 12/17/14 12:32 PM, Lyallex wrote: >>>> Yea I thought of this, the problem is I currently have a user >>>> area that requires a login and all this is currently >>>> configured in web.xml and I'm not sure how all this will fit >>>> together. I'll try a few things out and see what happens. > > You can have multiple, overlapping security-constraints. One of > them (which covers the whole site) will require HTTPS, the other > (existing one) will require authentication and authorization, but > only for certain (again, existing) URL patterns. > > Should be no problem. > >> You are correct, I followed Marks instructions, set up a new >> security constraint and restarted the server now when I access >> localhost I get 'redirected' to https://localhost which is what I >> wanted, it was the whole overlapping security-constraint thing >> that was vexing me somewhat. > >> I can also log into my user and admin areas as normal which is a >> relief but I'm getting some problems with AJAX not updating the >> live areas of my site so I'll have to look into that. > >> Now I know this is probably OT but I'm in the UK and was >> wondering if anyone has found a UK certification co that has >> decent customer support as I now have to figure out how to buy >> and install a certificate with the right params in a standalone >> Tomcat instance. My server hosts don't offer support in this area >> as they seem to be obsessed with Apache httpd :-( You can use keytool to create your CSR and give it to the CA, and when they give you back a PEM-encoded .crt file, you can import it back into keytool, you just need to know the magic words to do it. So it doesn't matter what the CA says they officially support; you should be able to handle whatever they give you, since it's all X.509 no matter what. If you want to get a free certificate, try StartCom (startssl.com). They are trusted by most browsers and offer no-cost standard SSL certificates. You have to pay if you want EV certs, or if you want to revoke a cert you've requested in the past. They can also do code-signing certs and other things, for a fee. - -chris >>>> On 17 December 2014 at 17:20, Mark Thomas <ma...@apache.org> >>>> wrote: >>>>> On 17/12/2014 17:10, Lyallex wrote: >>>>>> Tomcat 7.0.42 jdk1.7.0_51 Ubuntu 12.04/CentOS dev/deploy >>>>>> >>>>>> I have been reading more and more about Google and the >>>>>> like prioritising sites that employ https/ssl by default. >>>>>> Currently my site does not use https but delegates >>>>>> payment to a secure payment provider who does, thusly I >>>>>> have avoided going through the pain of certification etc, >>>>>> now it appears I have little option but to implement >>>>>> https site wide. I have managed to get a keystore going >>>>>> and have configured tomcat to serve a self signed >>>>>> certificate when accessing the site by https (default >>>>>> port 443) >>>>>> >>>>>> so http://localhost accesses the home page and >>>>>> https://localhost pops up a warning in Firefox regarding >>>>>> an unknown certification authority. This is all good and >>>>>> I'm pretty sure I understand so far. >>>>>> >>>>>> I have noticed that if I type http://www.google.co.uk in >>>>>> to a browser the address is automatically changed >>>>>> (redirected) to https://www.google.co.uk and I would like >>>>>> the same to happen to my site. >>>>>> >>>>>> Here is the question. Is this 'redirection' something I >>>>>> need to configure myself , (can it be done in server.xml >>>>>> for example) or is this something the people I rent my >>>>>> server from need to do at their end. >>>>> >>>>> It depends on exactly how things are set up. >>>>> >>>>> The first thing I would try is adding something like the >>>>> following to your web.xml: >>>>> >>>>> <security-constraint> <web-resource-collection> >>>>> <web-resource-name>Everything</web-resource-name> >>>>> <url-pattern>/*</url-pattern> </web-resource-collection> >>>>> <user-data-constraint> >>>>> <transport-guarantee>CONFIDENTIAL</transport-guarantee> >>>>> </user-data-constraint> </security-constraint> >>>>> >>>>> If I have remembered my syntax correctly, that should >>>>> route every request to https if it isn't already. >>>>> >>>>> Mark >>>>> >>>>> >>>>> --------------------------------------------------------------------- >>>>> >>>>> > >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: >>>>> users-h...@tomcat.apache.org >>>>> >>>> >>>> --------------------------------------------------------------------- >>>> >>>> > >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: >>>> users-h...@tomcat.apache.org >>>> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUkt9lAAoJEBzwKT+lPKRYZKAP/1ke3qEAzIkzIMp5ivqQqfTD 2O34v34w9HyR8wX0MvG0d6GwpPc81NfUFQhoofihIOnrp4+uBTkFUiUnRfdB95Ns FeOiulgHvptFE/w0di/sc+5UkqV/xVgmw6wrpVkgBUarzPIpC0y6OVpZRoU+h8Yf Yc4OGJ93KZ9Cf2h/miMAERerLJqModX1S8RZIxXYHQWUiMgjJsvU6AHKYGts9ZMV 0OkAgI+fumePZAQvvc0qzpuGzcUra6+MLjMNHS4QBcQjwMMg3DnVBv7aq7hgZj4E 3QYAGsw9XWewy9YycAnaFzD18OfruA6kDmo0o+iAI+cMgp/+C0rw7Qlo4CG+ppf0 lb8J5qaNwMhL/seNHFvwTH0/uHThE0IeU+Qtvo4zMTFDyWBlsW/7th5bli456hUn tFjgfa/qq6/ATz/fh9nYrNv8wwipcWiyVhi4Jop3uTt9klK3wiCMBs1xDOw0Z9Te ymnlJo08HLTdqgE/0zkkJV5UQm6GyqIB/ZL/LDZZZzWZIOXOA1GsV9jnPzx+tFA/ qDLemDEmYL0/h61b6JQvcus6P/9GrnXbV1/h0cQK60QjlH1g7ufEsWGP6iFnhDyK b8XpSY7+eunvhzQ8ZUrQAc+AuN5RfuFZJyxk8C/2qcMjtHFjQicVGiRQezgOS3xE yVVUnb3F6DWRQjJTUFBY =4wHv -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org