It's not a secret anymore!*
The moose likes Tomcat and the fly likes Transport-guarantee in web.xml Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Transport-guarantee in web.xml" Watch "Transport-guarantee in web.xml" New topic
Author

Transport-guarantee in web.xml

Jeppe Sommer
Ranch Hand

Joined: Jan 07, 2004
Posts: 270
I have added transport-guarantee as CONFIDENTIAL in my web.xml file.

<security-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
</security-constraint>

When I try to load the page (without using SSL "https://") with this URL http://www.myDomain.dk/app, the application automatically add port 8443 to the URL, like https://www.myDomain.dk:8443/app and shows a HTTP status 404 error page.

If I write the URL https://www.myDomain.dk/app it works perfect. Why does it automatically add port 8443 to the URL and how can I avoid that?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41604
    
  55
I think you'll get an answer quicker in the Servlet forum, so I'm moving the thread there - please find it in that forum and continue the discussion.


Ping & DNS - my free Android networking tools app
Bosun Bello
Ranch Hand

Joined: Nov 06, 2000
Posts: 1510
This depends on the server you are using. You may need to dig into the server's documentation


Bosun (SCJP, SCWCD)
So much trouble in the world -- Bob Marley
Jeppe Sommer
Ranch Hand

Joined: Jan 07, 2004
Posts: 270
Okay I will try that. I know it runs on a Tomcat webserver. I have an idea that it has something to do with the settings in the server.xml config file, but I haven�t found the solution yet. I have read the documentation at http://tomcat.apache.org/tomcat-5.0-doc/ssl-howto.html, but I still have the same problem...

Any solutions?
[ January 19, 2006: Message edited by: Jeppe Fjord ]
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Moving to the Apache/Tomcat forum.
(where I'll attempt to answer...)


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

In the connector node of your server.xml file, there is a redirectPort attribute. By default it is set to 8443 (the default SSL port that browsers use is 443).
Try changing it to 443 and see if that fixes it.
PS: You'll need to restart Tomcat.

Jeppe Sommer
Ranch Hand

Joined: Jan 07, 2004
Posts: 270
Hi,

I tried to do what you have written, but it didn�t helped. I contacted the hosting company and they asked me to make a filter instead, which redirects the requests to "https".

I have another two questions now:

1) Is it possible to set the transport-guarantee in the java code, instead of doing it in the web.xml file, ie. something like:

setTransportGuarantee("CONFIDENTIAL");

2) Is it possible to use different SSL certificates for each application? Lets say I have two certificates - one certificate is created by myself and is NOT signed by a CA, and the other one I have bought and is signed by a CA.

My application structure is:
https://www.myDomain.dk/app1 - use a SSL certificate signed by CA
https://www.myDomain.dk/app2 - use a SSL certificate NOT signed by CA(free)
https://www.myDomain.dk/app3 - Never use SSL certificate
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by Jeppe Fjord:
Hi,

I tried to do what you have written, but it didn�t helped.


I'm surprised that it did't work.
What port is your SSL connector binding to?
Can you post the code to both the secure and non-secure connectors (minus any cert passwords, of course)?


I contacted the hosting company and they asked me to make a filter instead, which redirects the requests to "https".

I have another two questions now:

1) Is it possible to set the transport-guarantee in the java code, instead of doing it in the web.xml file, ie. something like:

setTransportGuarantee("CONFIDENTIAL");


That part, I'm not sure about but
making a filter is not too difficult:



2) Is it possible to use different SSL certificates for each application? Lets say I have two certificates - one certificate is created by myself and is NOT signed by a CA, and the other one I have bought and is signed by a CA.


The connectors are children of Host and I know that Tomcat can have multiple hosts configured. I'm not sure if multiple hosts can all listen on the same domain though.
Jeppe Sommer
Ranch Hand

Joined: Jan 07, 2004
Posts: 270

I'm surprised that it did't work.
What port is your SSL connector binding to?
Can you post the code to both the secure and non-secure connectors (minus any cert passwords, of course)?


Here is how the server.xml is setup as default:

<!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8080 -->
<Connector port="31126"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
debug="0" connectionTimeout="20000"
disableUploadTimeout="true" />
<!-- Note : To disable connection timeouts, set connectionTimeout value
to 0 -->

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<!--
<Connector port="8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->

I have tried to change redirectPort="443". If I unblock SSL Coyote HTTP/1.1 Connector and set the port number to either port="8443" or port="443", I got this error when loading the application:

Service Temporarily Unavailable.

That part, I'm not sure about but
making a filter is not too difficult:


I have made this filter already, but is it possible to set the transport-guarantee as CONFIDENTIAL vs INTEGRAL vs NONE in your filter class?
[ January 21, 2006: Message edited by: Jeppe Fjord ]
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

What's listening to port 80 and converting the requests to 31126?
<Connector port="31126"
Is your hosting company running Tomcat behind another webserver (such as the Apache Webserver)?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Transport-guarantee in web.xml