Reputation: 1088
How can I test a URL is SSL secured
I'm new to IT industry. Test scenario is like I need to test whether my application's login page is SSL secured or not?
In general sometime we used to visit some websites where it shows a pop-up for SSL security. So I need to test the same scenario in my application.
I have small web application where I have login.html page. Basically, I'm able to start my web application using Maven and server used is Tomcat. Command I'm using to start is mvn tomcat7:run and URL using http://localhost:8080/login.html. It works perfectly.
But I want to change my URL from http to https and when I access my URL, i.e to https://localhost:8080/login.html, then it should pop-up with SSL security alert and I should accept it.
If my question is still not clear then feel free to comment.
After searching on net I have done some workarounds but its not working out. What I have tried:
My HTML page
<!DOCTYPE html>
<html>
<head>
</head>
<body>
<h1>Login App</h1>
<div id="emptyDiv"></div>
<div id="description"></div>
<!--container start-->
<div id="container">
<div id="container_body" style="background-color:#BBD700;float:center;">
<!--Form start-->
<div id="form_name">
<div class="firstnameorlastname">
<form >
<div id="errorBox"></div>
First Name : <input id="firstName" type="text" name="Name" value="" >
Last name : <input id="lastName" type="text" name="LastName" value="" >
</div>
<div id="email_form">
Email Id: <input style="position:right" type="text" name="Email" value="" >
</div>
<input id="sub_form" type="submit" value="Submit">
</form>
</div>
<!--form ends-->
</div>
</div>
<!--container ends-->
</body>
</html>
web.xml
<pre><code><!DOCTYPE web-app PUBLIC <span style="color: red;">"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"</span> <span style="color: red;">"http://java.sun.com/dtd/web-app_2_3.dtd"</span>>
<web-app>
<!-- <security-constraint>
<web-resource-collection>
<web-resource-name>MyEducationApp</web-resource-name>
<url-pattern>/login.html</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Non-SecureResource</web-resource-name>
<url-pattern>/login.html</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint> -->
<display-name>Login WebApp</display-name>
</web-app>
</span></code></pre>
Maven Plugin used
<!-- Maven Tomcat Plugin -->
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<version>2.2</version>
<configuration>
<url>https://localhost:8080/manager/text</url>
<server>localhost</server>
<path>/</path>
<username>admin</username>
<password>aRfalah</password>
</configuration>
<executions>
<execution>
<id>tomcat7-run</id>
<goals>
<goal>run-war-only</goal>
</goals>
<phase>pre-integration-test</phase>
<configuration>
<fork>true</fork>
</configuration>
</execution>
<execution>
<id>tomcat7-shutdown</id>
<goals>
<goal>shutdown</goal>
</goals>
<phase>post-integration-test</phase>
</execution>
</executions>
</plugin>
Upvotes: 4
Views: 1737
Answers (5)
Reputation: 14762
SSL/TLS encryption for your web site is nothing you can do in your web application. It's done via your web server's configuration.
See Apache Tomcat 7, SSL Configuration HOW-TO.
Additional info (repeated from my comment to the OQ, since comments are not that prominent and editable):
You don't have to buy a certificate from one of the certification authorities (CA) to obtain a certificate.
StartSSL offers 1-year SSL/TLS + S/MIME for free.On a different domain they offer now:No offer any more:
Notice to all StartCom subscribers
StartCom CA is closed since Jan. 1st, 2018 that don’t issue any new certificate from StartCom name roots. If you want to buy trusted SSL certificate and code signing certificate, please visit https://store.wotrus.com. If you want to apply free email certificate, please visit https://www.mesince.com to download MeSince APP to get free email certificate automatically and send encrypted email automatically.
But there may be other companies meanwhile.
You can easily create your own certificates with OpenSSL (thus being your own CA) and associate this certificate with your
https://site. If your visitors accept your certificate in the dialog that pops up in their browser it is stored in their browser's certificate store and the dialog will not appear again until the certificate's expiration date is reached.
Upvotes: 5
Reputation: 1902
From the original question above:
Command I'm using to start is
mvn tomcat7:runand URL usinghttp://localhost:8080/login.html. It works perfectly. But i want to change my URL fromhttptohttpsand when I access my URL i.ehttps://localhost:8080/login.html
Are you sure about 'http://localhost:8080' and 'https://localhost:8080'?
This basically means that you are requesting both SSL and non SSL traffic from same port. Normally Tomcat does HTTP from 8080 and HTTPS from 8443.
Most of the answers here would work for you but first be sure to see if you have enabled the SSL connector in server.xml.
Upvotes: 2
Reputation: 3762
This is what you need to do:
- Generate a self signed certificate and install the same in Tomcat (Gerold Broser's post has the link)
- By default, the SSL port is disabled in Tomcat, enable it (same link as bove)
- Change your URL to
https://local_host:8443/login.html(default SSL port for Tomcat) - Make the request through your browser, you should see a page/message, depending on the browser, telling you that the certificate is not OK
If you want this page to be only accessed through SSL, look at Tim Funk's post and edit the web.xml of the application.
Upvotes: 4
Reputation: 879
To require HTTPS and have your servlet engine automatically redirect to https, you are on the right track with transport-guarantee
So you will probably want
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/login.html</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
The above will only redirect /login.html for your webapp to https. Add more url-pattern as needed.
More details: http://wiki.apache.org/tomcat/FAQ/Security#Q4 and http://marc.info/?l=tomcat-user&m=104951559722619&w=2
Upvotes: 2
Reputation: 5723
The normal practice is to check via request.isSecure() whether the request came in via https or not. If not then send a redirect to the browser to the same URL but prefixed with https protocol.
Here is an example servlet filter to do this:
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class SecurityFilter implements Filter {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletResponse servletResponse = (HttpServletResponse) response;
if (!request.isSecure()) {
HttpServletRequest servletRequest = (HttpServletRequest) request;
String target = "https://" + request.getLocalName() + servletRequest.getRequestURI();
servletResponse.sendRedirect(target);
return;
}
// tell the browser to use only https for accessing this domain for the next 30 days
servletResponse.addHeader("Strict-Transport-Security", "max-age=" + (30 * 24 * 60 * 60));
chain.doFilter(request, response);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
// not needed
}
@Override
public void destroy() {
// not needed
}
}
To enable the filter globally add the following to you web.xml:
<filter>
<filter-name>securityFilter</filter-name>
<filter-class>SecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>securityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The line servletResponse.addHeader("Strict-Transport-Security", ... is optional. If you put it into the code, your browser will never try to connect to http again for the next 30 days but will use https itself. That happens if your browser supports the HSTS standard RFC6797. That makes sense if your application should be accessible via https solely. However, I think it is only possible with the standard https port 443. See next.
There is a tiny pitfall in your current tomcat configuration. It is not possible to run http and https on the same port. You need to have two separate connectors one for http and one for https.
To make this happen add to the maven tomcat plugin configuration:
<!-- Maven Tomcat Plugin -->
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<version>2.2</version>
<configuration>
<httpsPort>8443</httpsPort>
. . .
You also need to add the correct protocol for the redirect target in the SecurityFilter code (or make it an parameter):
String target = "https://" + request.getLocalName() + ":8443" + servletRequest.getRequestURI();
The port 8080 and 8443 are only for experimental local web servers, real applications should be on port 80 and 443.
That's it. Have fun and good luck!
Upvotes: 3
Related Questions
- How can I check if an SSL configuration for an HTTPS connection is valid?
- How to test the Availability of http and https servers in java
- Hitting Tomcat HTTPS URL with a Java Client
- How to detect SSL gracefully
- Calling Https Url
- Check whether the certificate is valid or not
- SSL connection for testing purposes
- Checking if request to Apache webserver is https or not in tomcat behind apache web server
- How to check if url exists over https in java
- Configuring HTTPS certificate usage based on url in Tomcat