Quantcast

how to auto redirect to https from http

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

how to auto redirect to https from http

Dave-53
Hi,
  when user types http://www.mydomain.com, how to redirect to secure url https://www.mydomain.com?  I know that a servlet filter can do that. Is there an easier way?
   
  In server.xml,  redirectPort="8443" for port 80, it did not work as I expected.
   
       <Connector port="80" address="${jboss.bind.address}"
         maxThreads="250" strategy="ms" maxHttpHeaderSize="8192"
         emptySessionPath="true"
         enableLookups="false" redirectPort="8443" acceptCount="100"
         connectionTimeout="20000" disableUploadTimeout="true"/>
     
        <Connector port="8443" address="${jboss.bind.address}"
           maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
           emptySessionPath="true"
           scheme="https" secure="true" clientAuth="false"
           keystoreFile="${jboss.server.home.dir}/keystore"
           keystorePass="123456" sslProtocol = "TLS" />

  Thanks for help.
   
  Dave

       
---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: how to auto redirect to https from http

Hazem.Daoud
Hi Dave,

Try to add this to web.xml under tomcat_install_dir/conf:
"
/<security-constraint>
     <web-resource-collection>
        <web-resource-name>Protected Context</web-resource-name>
          <url-pattern>/*</url-pattern>
     </web-resource-collection>
  <!-- auth-constraint goes here if you requre authentication -->
     <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
</security-constraint>/
"

That works for me.

Regards.

--Hazem.

Dave a écrit :

> Hi,
>   when user types http://www.mydomain.com, how to redirect to secure url https://www.mydomain.com?  I know that a servlet filter can do that. Is there an easier way?
>    
>   In server.xml,  redirectPort="8443" for port 80, it did not work as I expected.
>    
>        <Connector port="80" address="${jboss.bind.address}"
>          maxThreads="250" strategy="ms" maxHttpHeaderSize="8192"
>          emptySessionPath="true"
>          enableLookups="false" redirectPort="8443" acceptCount="100"
>          connectionTimeout="20000" disableUploadTimeout="true"/>
>      
>         <Connector port="8443" address="${jboss.bind.address}"
>            maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
>            emptySessionPath="true"
>            scheme="https" secure="true" clientAuth="false"
>            keystoreFile="${jboss.server.home.dir}/keystore"
>            keystorePass="123456" sslProtocol = "TLS" />
>
>   Thanks for help.
>    
>   Dave
>
>        
> ---------------------------------
> Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.
>  

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: how to auto redirect to https from http

Dave-53
Hi Hazem,
  Thanks,
   
  I tried the method, it worked.
  But  when I tried to protect login page only,
   
  <web-resource-collection>
                        <web-resource-name>protected pages</web-resource-name>
                        <url-pattern>/login.jsp</url-pattern>
 </web-resource-collection>

  restarted tomcat, and went to http://www.mydomain.com
   
  it was redirected to secure URL. It should stay insecure until going to login page.
   
  anything I was missing?
   
  Thanks
  Dave

Hazem DAOUD <[hidden email]> wrote:
  Hi Dave,

Try to add this to web.xml under tomcat_install_dir/conf:
"
/

Protected Context
/*



CONFIDENTIAL

/
"

That works for me.

Regards.

--Hazem.

Dave a écrit :

> Hi,
> when user types http://www.mydomain.com, how to redirect to secure url https://www.mydomain.com? I know that a servlet filter can do that. Is there an easier way?
>
> In server.xml, redirectPort="8443" for port 80, it did not work as I expected.
>
> > maxThreads="250" strategy="ms" maxHttpHeaderSize="8192"
> emptySessionPath="true"
> enableLookups="false" redirectPort="8443" acceptCount="100"
> connectionTimeout="20000" disableUploadTimeout="true"/>
>
> > maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
> emptySessionPath="true"
> scheme="https" secure="true" clientAuth="false"
> keystoreFile="${jboss.server.home.dir}/keystore"
> keystorePass="123456" sslProtocol = "TLS" />
>
> Thanks for help.
>
> Dave
>
>
> ---------------------------------
> Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
>



       
---------------------------------
Looking for last minute shopping deals?  Find them fast with Yahoo! Search.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: how to auto redirect to https from http

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave,

Dave wrote:
|   I tried the method, it worked.
|   But  when I tried to protect login page only,
|
|   <web-resource-collection>
|                         <web-resource-name>protected
pages</web-resource-name>
|                         <url-pattern>/login.jsp</url-pattern>
|  </web-resource-collection>
|
|   restarted tomcat, and went to http://www.mydomain.com
|
|   it was redirected to secure URL. It should stay insecure until going
to login page.
|
|   anything I was missing?

Is that your entire <web-resource-collection> configuration? If you've
told Tomcat that /* should be CONFIDENTIAL, then all traffic will be
redirected to HTTPS.

Move the CONFIDENTIAL part into the <web-resource-collection> that
represents your login page, and leave the rest of the app non-CONFIDENTIAL.

Remember that Tomcat will not automatically go from HTTPS to HTTP, so
you'll have to make that happen yourself. Also remember that if your
session id cookie was created in HTTPS mode, your browser will not send
it back to the server when you're in HTTP mode.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkerHyAACgkQ9CaO5/Lv0PClgACfRQm66ro0lctDvrEnA0paYC0Y
ziIAn35jRaXBkefSfaz6l1cn9fOokmfe
=0RZ/
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: [hidden email]
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: how to auto redirect to https from http

Dave-53
Hi Chris,
   
  I moved the <user-data-constraint> inside the <web-resource-collection> as the following:
   
       <security-constraint>
                <web-resource-collection>
                        <web-resource-name>Automatic SLL Forwarding</web-resource-name>
                        <url-pattern>/login.html</url-pattern>
                        <user-data-constraint>
                           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                        </user-data-constraint>
                </web-resource-collection>
        </security-constraint>

  But http://www.mydomain.com/login.html  did not redirect to secure URL.
   
  As you mentioned, If I start as http, then redirect to https when login,  and keep https after login. Does that mean https is using the http session? Is there any security hole? If a man-in-the-middle knows the session id from http and the same session id is used by https?
   
  Thanks for help.
  Dave

Christopher Schultz <[hidden email]> wrote:
  -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave,

Dave wrote:
| I tried the method, it worked.
| But when I tried to protect login page only,
|
|
| protected
pages
| /login.jsp
|
|
| restarted tomcat, and went to http://www.mydomain.com
|
| it was redirected to secure URL. It should stay insecure until going
to login page.
|
| anything I was missing?

Is that your entire configuration? If you've
told Tomcat that /* should be CONFIDENTIAL, then all traffic will be
redirected to HTTPS.

Move the CONFIDENTIAL part into the that
represents your login page, and leave the rest of the app non-CONFIDENTIAL.

Remember that Tomcat will not automatically go from HTTPS to HTTP, so
you'll have to make that happen yourself. Also remember that if your
session id cookie was created in HTTPS mode, your browser will not send
it back to the server when you're in HTTP mode.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkerHyAACgkQ9CaO5/Lv0PClgACfRQm66ro0lctDvrEnA0paYC0Y
ziIAn35jRaXBkefSfaz6l1cn9fOokmfe
=0RZ/
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: [hidden email]
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]



       
---------------------------------
Looking for last minute shopping deals?  Find them fast with Yahoo! Search.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: how to auto redirect to https from http

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave,

Dave wrote:
|   I moved the <user-data-constraint> inside the
<web-resource-collection> as the following:
|
|        <security-constraint>
|                 <web-resource-collection>
|                         <web-resource-name>Automatic SLL
Forwarding</web-resource-name>
|                         <url-pattern>/login.html</url-pattern>
|                         <user-data-constraint>
|
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
|                         </user-data-constraint>
|                 </web-resource-collection>
|         </security-constraint>
|
|   But http://www.mydomain.com/login.html  did not redirect to secure URL.

:(

It's possible that Tomcat ignores that setting during its own
authentication process (which would suck if it were the case). What the
the URL say when you are being asked to login?

| As you mentioned, If I start as http, then redirect to https when
| login, and keep https after login. Does that mean https is using the
| http session?

Well, it's not a "http session" per-se... it's the session that was
created while you were in http mode. The answer is yes: Tomcat will
continue to use that session. If, however, you kill any sessions
(yourself) as you switch to https, then any fallback to http will lose
the session (because the browser will refuse to send a "secure" cookie
through a non-secure channel.

| Is there any security hole? If a man-in-the-middle knows the session
| id from http and the same session id is used by https?

This does not require man-in-the-middle. It's just plain-old session
hijacking. This can happen whether you are using SSL or not -- if
someone can guess your session id, you're pwned.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkerLLYACgkQ9CaO5/Lv0PBSbQCgs51ON7Uwam/6mMs+5w4e0dv4
AwgAoK//OfuOISynFSbnV+jU6kqI2N6N
=14Kp
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: [hidden email]
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: how to auto redirect to https from http

geezenslaw
In reply to this post by Dave-53
Hello Dave, this is not exactly the answer you are looking for but I have been concerned with public web security for a long time and I have finally resigned myself to the fact that if you are using login pages that process user ids and passwords and other confidential info that man-in-the-middle and any type of network traffic sniffing is extremely dangerous. I run several Java apps publicly and all are 100% https/SSL all the time. It is a performance hit but I just up the hardware to match: multi-core Linux boxes with smp and 4+ gigs mem and other virtualization tricks as afforded by XEN and even Tomcat itself (6.0). Also please note: JBoss is very good at multi-instance web application servers on multiple ports with only a single machine install. If you have very serious Java web application concerns and full-time https encryption is warrented then you might give the folks at: www.azulsystems.com a call. HTH, David.

Dave wrote ..

> Hi Chris,
>    
>   I moved the <user-data-constraint> inside the <web-resource-collection> as the
> following:
>    
>        <security-constraint>
>                 <web-resource-collection>
>                         <web-resource-name>Automatic SLL Forwarding</web-resource-name>
>                         <url-pattern>/login.html</url-pattern>
>                         <user-data-constraint>
>                            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>                         </user-data-constraint>
>                 </web-resource-collection>
>         </security-constraint>
>
>   But http://www.mydomain.com/login.html  did not redirect to secure URL.
>    
>   As you mentioned, If I start as http, then redirect to https when login,  and
> keep https after login. Does that mean https is using the http session? Is there
> any security hole? If a man-in-the-middle knows the session id from http and the
> same session id is used by https?
>    
>   Thanks for help.
>   Dave
>
> Christopher Schultz <[hidden email]> wrote:
>   -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dave,
>
> Dave wrote:
> | I tried the method, it worked.
> | But when I tried to protect login page only,
> |
> |
> | protected
> pages
> | /login.jsp
> |
> |
> | restarted tomcat, and went to http://www.mydomain.com
> |
> | it was redirected to secure URL. It should stay insecure until going
> to login page.
> |
> | anything I was missing?
>
> Is that your entire configuration? If you've
> told Tomcat that /* should be CONFIDENTIAL, then all traffic will be
> redirected to HTTPS.
>
> Move the CONFIDENTIAL part into the that
> represents your login page, and leave the rest of the app non-CONFIDENTIAL.
>
> Remember that Tomcat will not automatically go from HTTPS to HTTP, so
> you'll have to make that happen yourself. Also remember that if your
> session id cookie was created in HTTPS mode, your browser will not send
> it back to the server when you're in HTTP mode.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkerHyAACgkQ9CaO5/Lv0PClgACfRQm66ro0lctDvrEnA0paYC0Y
> ziIAn35jRaXBkefSfaz6l1cn9fOokmfe
> =0RZ/
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: [hidden email]
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
>
>        
> ---------------------------------
> Looking for last minute shopping deals?  Find them fast with Yahoo! Search.

---------------------------------------------------------------------
To start a new topic, e-mail: [hidden email]
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: how to auto redirect to https from http

Dave-53
In reply to this post by Christopher Schultz-2
Chris,
   
  The url is not changed when I point to http://www.mydomain.com/login.html in browser. The .html is mapped to servlet. I expected it to change to https://....
   
  So it is not secure to start as http and then switch to https to use the same http session because session id to visible to man-in-the-middle. Am I right? If not secure, why is it allowed to be working this way?
   
  Even start with https, if url-rewriting is used for session tracking(sessionid in url), it is not secure anymore, right?
   
  Thanks,
Dave

Christopher Schultz <[hidden email]> wrote:
    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave,

Dave wrote:
| I moved the inside the
as the following:
|
|
|
| Automatic SLL
Forwarding
| /login.html
|
|
CONFIDENTIAL
|
|
|
|
| But http://www.mydomain.com/login.html did not redirect to secure URL.

:(

It's possible that Tomcat ignores that setting during its own
authentication process (which would suck if it were the case). What the
the URL say when you are being asked to login?

| As you mentioned, If I start as http, then redirect to https when
| login, and keep https after login. Does that mean https is using the
| http session?

Well, it's not a "http session" per-se... it's the session that was
created while you were in http mode. The answer is yes: Tomcat will
continue to use that session. If, however, you kill any sessions
(yourself) as you switch to https, then any fallback to http will lose
the session (because the browser will refuse to send a "secure" cookie
through a non-secure channel.

| Is there any security hole? If a man-in-the-middle knows the session
| id from http and the same session id is used by https?

This does not require man-in-the-middle. It's just plain-old session
hijacking. This can happen whether you are using SSL or not -- if
someone can guess your session id, you're pwned.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkerLLYACgkQ9CaO5/Lv0PBSbQCgs51ON7Uwam/6mMs+5w4e0dv4
AwgAoK//OfuOISynFSbnV+jU6kqI2N6N
=14Kp
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: [hidden email]
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]




       
---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: how to auto redirect to https from http

Bill Barker-2
In reply to this post by Christopher Schultz-2

"Christopher Schultz" <[hidden email]> wrote in message
news:[hidden email]...

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dave,
>
> Dave wrote:
> |   I moved the <user-data-constraint> inside the
> <web-resource-collection> as the following:
> |
> |        <security-constraint>
> |                 <web-resource-collection>
> |                         <web-resource-name>Automatic SLL
> Forwarding</web-resource-name>
> |                         <url-pattern>/login.html</url-pattern>
> |                         <user-data-constraint>
> |
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> |                         </user-data-constraint>
> |                 </web-resource-collection>
> |         </security-constraint>
> |
> |   But http://www.mydomain.com/login.html  did not redirect to secure
> URL.
>
> :(
>
> It's possible that Tomcat ignores that setting during its own
> authentication process (which would suck if it were the case). What the
> the URL say when you are being asked to login?
>

Well, the first problem is that the <user-data-constraint> has to come after
the </web-resource-collection> according to the spec.  If you nest it in the
<web-resource-collection>, Tomcat will quietly ignore it (there are enough
xml validators for you to check your web.xml syntax).

However, this won't work at all in Tomcat if you are using Container auth.
The reason is that Tomcat (at least 5.5 and higher) does a forward to the
login page, not a redirect.  As a result, Tomcat never checks the security
permissions for the /login.html URL.

> | As you mentioned, If I start as http, then redirect to https when
> | login, and keep https after login. Does that mean https is using the
> | http session?
>
> Well, it's not a "http session" per-se... it's the session that was
> created while you were in http mode. The answer is yes: Tomcat will
> continue to use that session. If, however, you kill any sessions
> (yourself) as you switch to https, then any fallback to http will lose
> the session (because the browser will refuse to send a "secure" cookie
> through a non-secure channel.
>
> | Is there any security hole? If a man-in-the-middle knows the session
> | id from http and the same session id is used by https?
>
> This does not require man-in-the-middle. It's just plain-old session
> hijacking. This can happen whether you are using SSL or not -- if
> someone can guess your session id, you're pwned.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkerLLYACgkQ9CaO5/Lv0PBSbQCgs51ON7Uwam/6mMs+5w4e0dv4
> AwgAoK//OfuOISynFSbnV+jU6kqI2N6N
> =14Kp
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: [hidden email]
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>




---------------------------------------------------------------------
To start a new topic, e-mail: [hidden email]
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: how to auto redirect to https from http

Christopher Schultz-2
In reply to this post by Dave-53
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave,

Dave wrote:
| The url is not changed when I point to
| http://www.mydomain.com/login.html in browser. The .html is mapped to
|  servlet. I expected it to change to https://....

I think David identified part of the problem: your XML is not set up
properly. Check out the DTD (or Schema) to see where the
<transport-guarantee> goes, and try again.

| Even start with https, if url-rewriting is used for session
| tracking(sessionid in url), it is not secure anymore, right?

Correct. To really have a secure system, you need to use HTTPS all the
time and always use cookie-based session tracking.

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkewsvgACgkQ9CaO5/Lv0PA/yQCfWHMKGjDBPg0k2O5XJtlf9hFr
sNMAn044vYvhYx52FD3FWRjKFwX52ymx
=42yE
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: [hidden email]
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...