Thanks. However, what I don't understand is why putting that code into the webapps WEB-INF/web.xml would cause the behaviour I want in ROOT.
Sadly, this is a production server and I can't play with it except after hours. EDIT. I tried working with web.xml on my development server, and could not get it to work, no matter which web.xml I used. In fact, whenever I edited the 'correct' web.xml, I immediately started getting '404' errors. If I removed the changes and restarted, the errors went away. So I tried something different after re-checking the internet. My original info came from here: https://gist.github.com/jtgasper3/10501274 after typing "force tomcat http to https" the above link was one, and the one I'd used to originally edit tomcat/conf/web.xml. The following bit caught my eye: albertus82 commented on Oct 31, 2018 Some applications don't work correctly with that security-constraint, so I followed a completely different approach: Edit conf/server.xml and add the following element into <Host name="localhost" ...>: <Valve className="org.apache.catalina.valves.rewrite.RewriteValve" /> Create the file conf/Catalina/localhost/rewrite.config: RewriteCond %{HTTPS} =off RewriteRule ^(.*) https://%{HTTP_HOST}:443$1 [R=301] I tried that on localhost (devel box) and it didn't work at first, but only because I did not have port 80 'turned on' on that machine. Once I did that it worked. I then implemented the above 'fix' in the production conf/server.xml and conf/Catalina/localhost and after restarting tomcat, ALL PAGES redirect from http to https as I had wanted. I even put the web pages back to just using index.html (moral: always make backups before you start doing stuff!). On reflection, I do think the valve was the more appropriate way to tackle this problem, so I'm very happy with the solution. -R On 7/20/2019 3:48 AM, logo wrote: Richard, Am 20.07.2019 um 04:19 schrieb Richard Huntrods <huntr...@athabascau.ca><mailto:huntr...@athabascau.ca>: I tried implementing automatic redirection from HTTP to HTTPS on my tomcat today, but it's not working. First, my system: OS: Ubuntu 18.04.2 LTS (server) Tomcat: 9.0.22 (installed from tomcat distribution, not via apt get) Java: OpenJDK "11.0.3" 2019-04-16 Mysql: Ver 14.14 Distrib 5.7.26 This web application has it's own domain (let's call it "mydomain.com" ) and has working HTTPS - and has done for some time now. Static web pages are served on this application via tomcat using the ROOT directory ../tomcat/webapps/ROOT Again, this is working just fine. If I type "https://mydomain.com";<https://mydomain.com> I see the secure static pages. If I type "http://mydomain.com";<http://mydomain.com> I see the same pages, but browsers inform me the page isn't secure. I want to force tomcat to redirect "http://mydomain.com";<http://mydomain.com> to "https://mydomain.com";<https://mydomain.com> always. I found instructions for auto-redirection on several on-line sites, and all had the same instructions. I already have the redirect code in server.xml: <Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" /> So all I had to add (according to the instructions) was code at the end of ...tomcat/conf/web.xml <security-constraint> <web-resource-collection> <web-resource-name>Secured</web-resource-name> <url-pattern>/*</url-pattern> </web-recource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> just before the final </web-app> This should go into your webapp's WEB-INF/web.xml! Not the tomcat/conf! Hope this helps, Peter I did this and restarted tomcat. It doesn't work. After restarting tomcat, if I type in "http://mydomain.com";<http://mydomain.com> I still see the unsecured version. It does not auto-redirect to https. What am I missing? Thanks, -Richard --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org> For additional commands, e-mail: users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> [https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> Virus-free. www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. ---
