Perform 301 redirect from http to https in Apache Tomcat

Question

I have configured SSL in my web application. I have installed the certificate in my Tomcat as per the required steps.

The tutorial that I have been following is https://www.mulesoft.com/tcat/tomcat-security

I have enforced the use of https over http which means that any request to http will be forwarded to https. I made the following changes in my server.xml

<Connector port="8080" protocol="HTTP/1.1" 

           connectionTimeout="20000" 

           redirectPort="443"

           proxyHost="10.1.1.1" proxyPort="80"

           URIEncoding="UTF-8"

           maxHttpHeaderSize="32768"/>

• See more at: https://www.mulesoft.com/tcat/tomcat-security#sthash.6zIVA27x.dpuf

The web.xml changes are as follows:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>SecureConnection</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

However, the redirect that is taking place is temporary re-direct ie 302. I want to use 301 re-direct ie., permanent redirect.

How can I achieve that?

Answer 1

This is configured on your Realm. See the transportGuaranteeRedirectStatus attribute of your particular Realm implementation.

https://tomcat.apache.org/tomcat-8.5-doc/config/realm.html

Ex: server.xml has this out-of-the-box

  <Realm className="org.apache.catalina.realm.LockOutRealm">
    <!-- This Realm uses the UserDatabase configured in the global JNDI
         resources under the key "UserDatabase".  Any edits
         that are performed against this UserDatabase are immediately
         available for use by the Realm.  -->
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
           resourceName="UserDatabase"/>
  </Realm>

It does not set transportGuaranteeRedirectStatus so it defaults to 302. If you want to make it use a 301, just add the attribute transportGuaranteeRedirectStatus="301" to the top level Realm (you may not have nested Realms depending on your configuration) and restart Tomcat.

Ex:

  <Realm className="org.apache.catalina.realm.LockOutRealm" transportGuaranteeRedirectStatus="301">
    <!-- This Realm uses the UserDatabase configured in the global JNDI
         resources under the key "UserDatabase".  Any edits
         that are performed against this UserDatabase are immediately
         available for use by the Realm.  -->
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
           resourceName="UserDatabase" />
  </Realm>

If you do not have a Realm tag defined in your configuration, Tomcat will default to using a NullRealm. If you want to override the redirect in this situation, you'd just need to define a NullRealm under with the transportGuaranteeRedirectStatus property set on it.

Hope that helps!