The Wrath of Krang: Set up Tomcat to redirect HTTP requests to HTTPS

Tuesday, 4 September 2007

Set up Tomcat to redirect HTTP requests to HTTPS

We had JIRA installed and using the built-in Tomcat app server,
accepting both HTTP and HTTPS requests. We wanted to restrict it so
that all JIRA access was only via SSL. The config changes were pretty
simple.
1. Change Tomcat's server.xml.
Edit the non-SSL <Connector> entry listening on port 80 and add or
edit the redirectPort atribute to point to the port on which the SSL
<Connector> is listening. By default, the redirectPort was pointing
to port 443.
Was:
<Connector port="80"
enableLookups="false" redirectPort="8443"
maxThreads="100" minSpareThreads="100" maxSpareThreads="100"/>

Changed to:
<Connector port="80"
enableLookups="false" redirectPort="443"
maxThreads="100" minSpareThreads="100" maxSpareThreads="100"/>
Because the SSL entry was:

2. In the Tomcat web.xml file the following <security-constraint> has
to be added within the <web-app> element. This new element must be
added after the <servlet-mapping> element:


<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

10 comments:

Scott said...: Thanks for posting these redirect instructions. Most helpful.; Wednesday, August 13, 2008 5:52:00 am
krangsquared said...: Glad to see it was of use.

Just noticed I have an incomplete sentence .. "Because the SSL entry was:" WTF? Oh well. Don't remember.; Wednesday, August 13, 2008 2:05:00 pm
SomeshRao said...: Thanks. This was very useful. Worked like a charm; Thursday, September 18, 2008 4:18:00 am
Unknown said...: Hello All,

I have a reversed problem - my website is being automatically redirected to https instead of regular. I have checked the server.xml, The port 80 is defined properly.

What do I need to do stop/reverse the "redirect"?

Below is the connector for port 80; Friday, February 19, 2010 6:06:00 am
Unknown said...: I have resolved my redirect issue by change from CONFIDENTIAL to NONE" for the section. Detailed code below.

NONE

_____

www.3win3.com; Friday, February 19, 2010 8:02:00 am
Gopal said...: I solved my problem using this post. Thanks.; Tuesday, August 30, 2011 1:48:00 am
Viswanathan G said...: Can you help me in the below scenario.

1. I have tomcat with SSL certificate
2. I want run another application which is running in another machine with HTTP.
3. But that application URL should be shown as HTTPS.
4. I want to use the same public URL which I am using for Tomcat.

Anyone can help me on this.

~ Viswanathan
9620047917; Friday, September 16, 2011 12:27:00 am
Ravi Naik said...: I did all these steps to redirect my application to "https", but I am not able to connect to the mysql database that is speaking with the application. Is there anything else we need to do for Database specific web applications?; Friday, October 25, 2013 1:04:00 pm
krangsquared said...: This doesn't necessarily have anything to do with Tomcat, but if you're using Connection Pooling within Tomcat, have a look at the reference docs here:

http://tomcat.apache.org/tomcat-7.0-doc/jdbc-pool.html#Inside_the_Apache_Tomcat_Container; Friday, January 31, 2014 5:26:00 pm
Eric Dain said...: Exactly what I was looking for, many thanks!!; Saturday, August 16, 2014 1:02:00 am