CODEWITHSUNDEEP
javatomcatapache-axisrampartsecurity-constraint
nmmsantos
nmmsantos

Reputation: 325

Apache Tomcat Security

I'm almost getting close to finishing my configuration of Tomcat.

The trouble I'm having is in regard to both my client application and my browser.

I want that when a user accesses Tomcat with his browser, that it can only access through https, so that I can use certificates to authenticate.

In my client application, when I communicate with axis2, I only want to use http, so I don't overload the server. I'm using apache rampart with password callbacks that use certificates, so there is no problem in not using https.

Now, this is were the problem starts. Here's what I've managed to get to work:

Allow SSL on tomcat, client certification works like a charm with the browsers.

However, the server is still accessible through 

http://localhost:8080

Here is my server.xml in regard to this matter:

<Connector port="8080" protocolo="HTTP/1.1" redirectPort="8443" />

<Connector port="8443" maxThreads="150" scheme="https" secure="true" SSLEnabled="true" keystoreFile="conf/service.jks" keystorePass="password" clientAuth="true" keyAlias="service" sslProtocol="TLS"/>

Shouldn't it redirect to the 8443 port?

My client application can communicate with no problem through the 8080 port.

So what am I doing wrong?

Upvotes: 0

Views: 240

Answers (1)

David Levesque
David Levesque

Reputation: 22451

Did you define a security-constraint in your application's web.xml ? If not, try adding something like this:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>SSL Forwarding</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

Upvotes: 1

Related Questions