Tuesday, 4 September 2007

Set up Tomcat to redirect HTTP requests to HTTPS

We had JIRA installed and using the built-in Tomcat app server,
accepting both HTTP and HTTPS requests. We wanted to restrict it so
that all JIRA access was only via SSL. The config changes were pretty
simple.
1. Change Tomcat's server.xml.
Edit the non-SSL <Connector> entry listening on port 80 and add or
edit the redirectPort atribute to point to the port on which the SSL
<Connector> is listening. By default, the redirectPort was pointing
to port 443.
Was:
<Connector port="80"
enableLookups="false" redirectPort="8443"
maxThreads="100" minSpareThreads="100" maxSpareThreads="100"/>

Changed to:
<Connector port="80"
enableLookups="false" redirectPort="443"
maxThreads="100" minSpareThreads="100" maxSpareThreads="100"/>
Because the SSL entry was:


2. In the Tomcat web.xml file the following <security-constraint> has
to be added within the <web-app> element. This new element must be
added after the <servlet-mapping> element:

<!-- SSL settings. only allow HTTPS access to JIRA -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

9 comments:

Scott said...

Thanks for posting these redirect instructions. Most helpful.

krangsquared said...

Glad to see it was of use.

Just noticed I have an incomplete sentence .. "Because the SSL entry was:" WTF? Oh well. Don't remember.

SomeshRao said...

Thanks. This was very useful. Worked like a charm

Alan said...

Hello All,

I have a reversed problem - my website is being automatically redirected to https instead of regular. I have checked the server.xml, The port 80 is defined properly.

What do I need to do stop/reverse the "redirect"?

Below is the connector for port 80

Alan said...

I have resolved my redirect issue by change from CONFIDENTIAL to NONE" for the section. Detailed code below.


NONE


_____

www.3win3.com

Gopal said...

I solved my problem using this post. Thanks.

Viswanathan G said...

Can you help me in the below scenario.

1. I have tomcat with SSL certificate
2. I want run another application which is running in another machine with HTTP.
3. But that application URL should be shown as HTTPS.
4. I want to use the same public URL which I am using for Tomcat.

Anyone can help me on this.

~ Viswanathan
9620047917

Ravi Naik said...

I did all these steps to redirect my application to "https", but I am not able to connect to the mysql database that is speaking with the application. Is there anything else we need to do for Database specific web applications?

krangsquared said...

This doesn't necessarily have anything to do with Tomcat, but if you're using Connection Pooling within Tomcat, have a look at the reference docs here:

http://tomcat.apache.org/tomcat-7.0-doc/jdbc-pool.html#Inside_the_Apache_Tomcat_Container