Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SSL for specific pages/url-patterns in tomcat

I recently configured tomcat 6 with SSL and client authentication, but the only way I could do it was modifying server configuration files (web.xml, server.xml). But as I don't have full control over the deployment server, I would like to configure everything just for some pages or url-patterns of my application without modifying the main configuration files.

For example: Main server:

  • Application1 -> HTTP
  • Application2 -> HTTP
  • MyApplication -> HTTPS

If somebody knows how to do it, please tell me.

like image 389
Timoteo Ponce Avatar asked Nov 25 '10 23:11

Timoteo Ponce


1 Answers

The only way to get https going is to write the appropriate connector on the server.xml file under the <service> tag. Once you setup the connector you can access all applications in the server with http or https. The only difference is what connector gets used. Typically the connectors for http and https look like these:

<Connector port="80" protocol="HTTP/1.1"
           maxThreads="150" connectionTimeout="20000"
           redirectPort="443"
           URIEncoding="UTF-8" compression="on"/>

<Connector port="443" protocol="HTTP/1.1"
           maxThreads="150" connectionTimeout="20000"
           SSLEnabled="true" scheme="https" secure="true"
           keystoreFile="conf/.keystore"
           keystorePass="changeit"
           clientAuth="false" sslProtocol="TLS"
           URIEncoding="UTF-8" compression="on"/>

You can then force your application to always use https by adding the transport-guarantee tag to web.xml which ends up something like this:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Administrators</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>Administrators</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

You can change the transport-guarantee for the different web resources you define. Thus allowing you to protect certain parts of the site and not others.

At the very end having the connector in server.xml does not force you yo use https for all applications. It only allows the use of the https connector.

like image 182
Ricardo Marimon Avatar answered Sep 20 '22 23:09

Ricardo Marimon