Re: Help with mixed SSL and non-SSL pages in Tomcat 7.0

Fri, 14 Oct 2011 13:39:02 -0700 

On 14/10/2011 21:09, Janet Preston wrote:
> Hi,
> 
> I have a web site with a login page that has to be accessed using SSL so 
> that the password is not sent as clear text. The rest of the site is 
> non-SSL.

So the password is worth protecting but the session ID is not? The
session ID is as good as the password for most nefarious purposes.

> My web.xml is configured as follows:
>        <welcome-file-list>
>                <welcome-file>index.html</welcome-file>
>        </welcome-file-list>
>        <security-constraint>
>                <display-name>App Security</display-name>
>                <web-resource-collection>
>                        <web-resource-name>App Security</web-resource-name>
>                        <description></description>
>                        <url-pattern>*.jsp</url-pattern>
>                        <url-pattern>*.do</url-pattern>
>                        <url-pattern>*.html</url-pattern>
>                        <http-method>GET</http-method>
>                        <http-method>PUT</http-method>
>                        <http-method>POST</http-method>
>                        <http-method>DELETE</http-method>
>                </web-resource-collection>

Using any other HTTP method (e.g. HEAD) will bypass the security
constraints. I'd strongly recommend removing those methods from the
constraint.

>                <auth-constraint>
>                        <description></description>
>                        <role-name>person</role-name>
>                </auth-constraint>
>        </security-constraint>
>        <login-config>
>                <auth-method>FORM</auth-method>
>                <form-login-config>
>                        <form-login-page>/login.jsp</form-login-page>
>                        <form-error-page>/loginerr.jsp</form-error-page>
>                </form-login-config>
>        </login-config>

I don't see anything that forces logins to be over SSL.

>        <security-role>
>           <description>All users who can login should be able to use this 
> application</description>
>                   <role-name>person</role-name>
>        </security-role>
> 
> I created a certificate using the Java keystore and updated tomcat 
> server.xml 
>     <Connector port="8080" protocol="HTTP/1.1"
>                connectionTimeout="20000"
>                redirectPort="8443" />
>     <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>                maxThreads="150" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>                keystoreFile="/security/.keystore" 
> keystorePass="appcertkey"   keyAlias="keyalias"/>
> 
>     <!-- Define an AJP 1.3 Connector on port 8009 -->
>     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
> 
> Index.html redirects the user from https to http.

Is that the only redirect in either direction?

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to