CODEWITHSUNDEEP
apachetomcatprotocolsserver.xml
parvuselephantus
parvuselephantus

Reputation: 181

Mix https and http on single tomcat instance

I have an application which in general works in https. Tomcat listens on port 8443:

<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keyAlias="MY_ALLIAS" keystoreFile="PATH_TO_MY_KEY"
           keystorePass="MY_PASWORD" />

Apache listens on 80 and redirects to 8443:

<VirtualHost *:80>
        ServerAdmin MY_EMAIL_ADDRESS
        ServerName localhost
        ServerAlias localhost
        ProxyPass / http://localhost:8443/
        ProxyPassReverse / http://localhost:8443/
        DocumentRoot /var/www/html

Finally in web.xml there I added:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>MY_WEB_RESOURCE_NAME</web-resource-name>
        <url-pattern>/welcome</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Unfortunatly I have to add IFRAME with http site into one of my websites. Security is not a problem there. My problem is Tomcat configuration. I guess I will dispatch traffic with Apache. But now my question is how to setup Tomcat, so I can serve site http://localhost:8080/siteA and all the other sites will be served on https://localhost:8443/myOtherSites? I tried removing redirectPort="8443", but it's not enough. I'm using Tomcat 9.0.0.M4 (it's not a problem to move to Tomcat 8, if I would need to). Please help!

Upvotes: 1

Views: 1188

Answers (1)

Saurabh Chaturvedi
Saurabh Chaturvedi

Reputation: 2166

To Solve this problem add one more <security-constraint> tag in your web.xml like this ` 

<security-constraint>
<web-resource-collection>
<web-resource-name>Unsecured resources</web-resource-name>
<url-pattern>/siteA</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint> `

Since you have set transport-guarantee as NONE , tomcat will not verify if its a secured resource or not . In this manner this <security-constraint> will help to access your siteA over http and the other<security-constraint> tag that you have already declared will help you access your other sites on https. Just remember in <url-pattern> tag give path to the pages that you want to keep as http or https Let me know if this solves your problem :) .

Upvotes: 1

Related Questions