Tomcat 7 HTTP to HTTPS redirect

Intro


The following article shows how to easily redirect HTTP to HTTP in Tomcat 7 servlet container that it always requires secure connection. It was assumed that the following TCP ports are used for that purpose:
  • 8080: for HTTP
  • 8443: for HTTPS 
Please, follow the exact steps as described below to get it done.

Configuration


1) Update server.xml configuration file in Tomcat home directory and change the following part of its configuration:

<Connector port="8080" protocol="HTTP/1.1"

           connectionTimeout="20000"
           URIEncoding="UTF-8"
           redirectPort="8443" />

to what's shown below:

<Connector port="8080" enableLookups="false"
           redirectPort="8443" />

2) Update web.xml configuration file in Tomcat home directory and add the following content into the end before the closing </web-app> markup:

<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you requre authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

3) Restart Tomcat servlet container.

You're done! The Tomcat always requires secure connection now.

Related topics:


http://tkurek.blogspot.com/2013/07/how-to-secure-tomcat-7-with-ssl-tls.html

19 comments:

  1. Is it possible to user a different url-pattern instead of /* ? Let's say I'd like to secure only /docs directory rather than the hole site. I made some tests using the syntax below but it doesn't seem to work.

    /docs/*

    ReplyDelete
    Replies
    1. @Unknown:

      I'm not sure whether it's doable. Have you thought about putting Apache in front of Tomcat?

      Delete
  2. Hello,

    Just wanted to say many thanks!!. This worked for me.

    Sincerely,
    j

    ReplyDelete
  3. Worked for me... Thanks

    ReplyDelete
  4. Worked fine so far...thanks!!

    ReplyDelete
  5. Hi,

    I tried but got below errors.
    "The ResourceConfig instance does not contain any root resource classes."

    ReplyDelete
  6. How this can be combined with basic authentication?

    ReplyDelete
    Replies
    1. @AnonymousOctober 12, 2015 at 5:21 PM:
      Basic Authentication is managed by the web app (or whatever client/server tools you're using). You can think of SSL / HTTPS as being a bubble that wraps around the connection between the server and the client (for encryption)... but it does not define how you send / manage credentials and authentication.

      Delete
  7. hello, I learn redirect in your blog, can I reference there in my blog?

    ReplyDelete
  8. Works for me to set SafeQ server work on https.
    Thanks!

    ReplyDelete
  9. This can get me out of my tomcat issues. Thanks.

    mark email tomcat

    ReplyDelete
  10. Thank you! It really works.

    ReplyDelete