Re: Problem moving from HTTP to HTTPS

[Filip Hanik - Dev Lists]

<role-name>*</role-name>  <!-- even though I have no roles configured -->
the "*" means all the roles that you have defined in web.xml, since you 
haven't defined any roles in web.xml, there is nothing to authenticate, 
hence its gonna deny the request

Filip


Glen Mazza wrote:
Hello,

I have developed a simple web application running on Tomcat that asks 
for a database username and password and then returns a report in PDF. 
I'm *not* using any of Tomcat's security features for this--no roles 
for example.

In testing it has been running fine on HTTP, but I would like it to be 
using HTTPS/SSL for production use, and ideally, be redirecting any 
user HTTP requests to HTTPS.  So I created a new keystore and 
activated the HTTPS/SSL connector in the server.xml file.  I also 
added the following security constraint to the web.xml of my web 
application in order to force a redirect from HTTP to HTTPS should the 
user enter the former:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>thewholeapp</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>  <!-- even though I have no roles 
configured -->
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

The redirection to the HTTPS page is working, but the HTTPS page 
itself is failing--I keep getting 403 error messages:  "Access to the 
requested resource has been denied".  Note I am *not* doing any form 
of container authentication--that may be the problem, as I'm relying 
on the DB connection string within my web application to authenticate 
into the database.  I get the same message if I go to the https:// URL 
directly and not via redirection.

How can I get Tomcat to let every user access the HTTPS URL login page 
(letting the database continue to handle the subsequent authentication 
into the DB), preferably while still allowing for the automatic 
redirection from HTTP to HTTPS as listed in the above 
<security-constraint/>?

Thanks,
Glen

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]