Problem moving from HTTP to HTTPS

Thu, 31 Aug 2006 14:49:56 -0700 

Hello,
I have developed a simple web application running on Tomcat that asks for a database username and password and then returns a report in PDF. I'm *not* using any of Tomcat's security features for this--no roles for example. 


In testing it has been running fine on HTTP, but I would like it to be 
using HTTPS/SSL for production use, and ideally, be redirecting any user 
HTTP requests to HTTPS.  So I created a new keystore and activated the 
HTTPS/SSL connector in the server.xml file.  I also added the following 
security constraint to the web.xml of my web application in order to 
force a redirect from HTTP to HTTPS should the user enter the former:


    <security-constraint>
        <web-resource-collection>
            <web-resource-name>thewholeapp</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>

            <role-name>*</role-name>  <!-- even though I have no roles 
configured -->

        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>


The redirection to the HTTPS page is working, but the HTTPS page itself 
is failing--I keep getting 403 error messages:  "Access to the requested 
resource has been denied".  Note I am *not* doing any form of container 
authentication--that may be the problem, as I'm relying on the DB 
connection string within my web application to authenticate into the 
database.  I get the same message if I go to the https:// URL directly 
and not via redirection.



How can I get Tomcat to let every user access the HTTPS URL login page 
(letting the database continue to handle the subsequent authentication 
into the DB), preferably while still allowing for the automatic 
redirection from HTTP to HTTPS as listed in the above 
<security-constraint/>?


Thanks,
Glen

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to