0

I have a web app running on Tomcat 7, and I've successfully gotten SSL and form-based authentication to work by using https and the appropriate port directly. However I'd like to require SSL for the login page and can't seem to get this to work if I navigate to the root of my web app. E.g. if I go to http://localhost:8080/ProjectManagementSystem/login.html it redirects to SSL, but not if I go to http://localhost:8080/ProjectManagementSystem The latter does redirect to the login page but doesn't change to SSL.

Is this possible without moving the login page to its own directory (as in this question)?

The relevant pieces from web.xml are:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>PMS</web-resource-name>
        <url-pattern>/login.html</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<login-config>
        <auth-method>FORM</auth-method>
        <realm-name>ProjectManagementSystem</realm-name>
        <form-login-config>
                <form-login-page>/login.html</form-login-page>
                <form-error-page>/error.html</form-error-page>
        </form-login-config>
</login-config>

I've tried a number of different configurations (e.g. adding additional url-patterns like /) but can't get anything to redirect when I go to the web-app's root. I'd really appreciate knowing if this is impossible or if I'm just doing something wrong. Thanks.

ETA: I actually went ahead and tried moving login.html to login/login.html and changing it to <url-pattern>/login/*</url-pattern> and it still doesn't work. So I think I must be doing something wrong, but I can't for the life of me figure out what.

ETA2: I also tried <url-pattern>/*</url-pattern> and <url-pattern>*</url-pattern> and <url-pattern>*.html</url-pattern> and none of these worked either...

ETA3: I tried changing the web-resource-name as well, in case it was conflicting with another part of the web.xml, but that still didn't work. I'm about out of ideas.

Community
  • 1
  • 1
Maltiriel
  • 793
  • 2
  • 11
  • 28
  • Have you found the problem yet? I'm having the same problem. – Hoàng Long Nov 22 '12 at 03:36
  • No, unfortunately I still haven't managed to solve this. It's on the back-burner for now, but I figure if I still can't find a web.xml way to do it I'll have to redirect manually somehow (within the servlet maybe?). It seems like there should be a way to do this but I haven't found anything. – Maltiriel Nov 27 '12 at 17:39

2 Answers2

4

I got this to work in JBOSS 7.1.1 as follows:

 <security-constraint>
     <web-resource-collection>
         <web-resource-name>*</web-resource-name>
         <url-pattern>/logon.jsp</url-pattern>
         <url-pattern>/logonReconnect.jsp</url-pattern>
         <url-pattern>/logoff.do</url-pattern>
     </web-resource-collection>
    <user-data-constraint>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
    </security-constraint>

E.g. there were 3 pages allowing logon, together with SSL configuration in standalone.xml this forces SSL for the log on pages and session but does not place a constraint on other content. This was to address a kind of bizzre problem in IE8 and earlier where active content (hotspots) was disabled if we placed the constraint on all content.

Peter
  • 41
  • 2
  • If you navigate to the root of your web app rather than going directly to one of the login pages does this still work? That's where I'm having problems. If I go directly to my login page it all works fine, but the web app re-directs to the login page if you go to the root of the web app or to any of the other pages, and that redirect isn't going to SSL. – Maltiriel Dec 21 '12 at 16:23
0

I had the same problem: Only the root page did not redirect to https, all other pages did. I managed to fix it by using TWO url-patterns in the security-constraint like

<security-constraint> <web-resource-collection> <web-resource-name>PMS</web-resource-name> <url-pattern>*.xhtml</url-pattern> <url-pattern>/</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

esel
  • 901
  • 9
  • 20