Intro
The following article shows how to easily redirect HTTP to HTTP in Tomcat 7 servlet container that it always requires secure connection. It was assumed that the following TCP ports are used for that purpose:
- 8080: for HTTP
- 8443: for HTTPS
Please, follow the exact steps as described below to get it done.
The following article shows how to easily redirect HTTP to HTTP in Tomcat 7 servlet container that it always requires secure connection. It was assumed that the following TCP ports are used for that purpose:
- 8080: for HTTP
- 8443: for HTTPS
Please, follow the exact steps as described below to get it done.
Configuration
1) Update server.xml configuration file in Tomcat home directory and change the following part of its configuration:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443" />
to what's shown below:
<Connector port="8080" enableLookups="false"
redirectPort="8443" />
2) Update web.xml configuration file in Tomcat home directory and add the following content into the end before the closing </web-app> markup:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you requre authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
3) Restart Tomcat servlet container.
You're done! The Tomcat always requires secure connection now.
Related topics:
http://tkurek.blogspot.com/2013/07/how-to-secure-tomcat-7-with-ssl-tls.html
Is it possible to user a different url-pattern instead of /* ? Let's say I'd like to secure only /docs directory rather than the hole site. I made some tests using the syntax below but it doesn't seem to work.
ReplyDelete/docs/*
@Unknown:
DeleteI'm not sure whether it's doable. Have you thought about putting Apache in front of Tomcat?
Hello,
ReplyDeleteJust wanted to say many thanks!!. This worked for me.
Sincerely,
j
Worked for me... Thanks
ReplyDeleteit work for me. thank Tytus Kurek
ReplyDeleteWorked fine so far...thanks!!
ReplyDeleteHi,
ReplyDeleteI tried but got below errors.
"The ResourceConfig instance does not contain any root resource classes."
Uorqued for mi
ReplyDeleteHow this can be combined with basic authentication?
ReplyDelete@AnonymousOctober 12, 2015 at 5:21 PM:
DeleteBasic Authentication is managed by the web app (or whatever client/server tools you're using). You can think of SSL / HTTPS as being a bubble that wraps around the connection between the server and the client (for encryption)... but it does not define how you send / manage credentials and authentication.
Thank you. It works for me too.
ReplyDeletehello, I learn redirect in your blog, can I reference there in my blog?
ReplyDeleteNP
DeleteWorks for me to set SafeQ server work on https.
ReplyDeleteThanks!
thanks... God bless sir...
ReplyDeleteThank you! It really works.
ReplyDeleteGreat!!
ReplyDeleteit works for me thanks
ReplyDeleteThank you for the auspicious writeup. It in fact was a amusement account
ReplyDeleteit. Look advanced to far added agreeable from you!
By the way, how could we communicate?
https://www.linkedin.com/in/tkurek
DeleteThis comment has been removed by the author.
ReplyDeleteHi it doesn't works for me i need help.
ReplyDeleteif i hit the url
it give responce on browser
and the url changed automatically to
URL https://localhost:8080/
Deleteresponce This site can’t be reached
great
ReplyDeletehello
ReplyDeletehow we can add header security in tomcat apache 7.0.79
need to add Content security policy and hsts
worked for me toma 7.0.72
ReplyDeletehttp listener rules had ROOT instead of default {path} hence why redirection happened. Right now it is fixed and I don't see ROOT in the http URL redirecting to https.
ReplyDeleteHi this does a redirect to https, but appends :8443 at the end of the domain part of the URL.
ReplyDeleteCan I fix that