Tomcat https and automatic redirect

Here is an example tomcat configuration that configures SSL and a automatic redirect from TCP 80 (HTTP) to TCP 443 (HTTPS).

This may sound obvious, but in order to allow the automatic redirect to work you need to be sure that you also configure the connector for port 80 in conjunction with the 443 port in the server.xml configuration file.

Next create an ssl directory inside the tomcat directory. If you are going to use a different path, make sure tomcat can access these files. I usually try to keep all application server related files inside the catalina home.

cd /opt/tomcat   #or any other path you used
mkdir ./ssl

First create the keyfile and a csr file for the certificate using openssl. My advice would be to execute the following command inside the ssl directory you created previously.

cd /opt/tomcat/ssl #or any other directory you used.
#alter the names to match your requirements
openssl req -newkey 4096 -nodes -keyout dev.amis.nl.key -out dev.amis.nl.csr

This file will output a dev.amis.nl.key file and (after answering the questions) an dev.amis.nl.csr file. In the configuration i have also added a date portion to the file names for future reference. You can use the CSR (Certificate Request File) to either get a valid public certificate or generate a self signed certificate (google the answer on how this is done). Make sure you finally get these files available in the ${catalina.base}\ssl directory.

#alter the names to match your own requirements, best practice usually includes creating self descriptive filenames.
dev.amis.nl.ddmmyyy.cer
dev.amis.nl.ddmmyyy.key

If you have the private-key and certificate in place you can create the connectors inside the server.xml needed by Catalina (tomcat) to handle the network requests that will be made by remote users on ports 80(http), 443(https). Default Catalina is configured on port 8080. You can safely delete the default entry and replace it with the config below.

Make sure that the <Connector> entries are added between the <Service name=”Catalina”> XML Tags.

Open the server.xml file and create the following connectors. Tweak the settings to match you own requirements.


<!-- Connector definition for TCP port 80 -->
<Connector port="80"
           maxHttpHeaderSize="8192"
           maxThreads="150"
           useBodyEncodingForURI="true"
           enableLookups="false"
           acceptCount="100"
           connectionTimeout="20000"
           disableUploadTimeout="true"
           compression="on"
           compressionMinSize="2048"
           noCompressionUserAgents="gozilla, traviata"
           compressableMimeType="text/html,text/xml"/>

<!-- Connector definition for SSL port 443 -->
    <Connector port="443"
               maxHttpHeaderSize="8192"
               maxThreads="150"
               compression="on"
               enableLookups="false"
               disableUploadTimeout="true"
               acceptCount="100"
               scheme="https"
               secure="true"
               SSLEnabled="true"
               SSLCertificateFile="${catalina.base}/ssl/dev.amis.nl.16032011.cer"
               SSLCertificateKeyFile="${catalina.base}/ssl/dev.amis.nl.16032011.key"
               compressableMimeType ="text/html,text/xml,text/plain,text/css,text/javascript"/>

In some occasions you want tomcat to automatically redirect any incomming request on TCP port 80 (HTTP) to be redirected to TCP port 443 (HTTPS). If this is required then this this behavior can be forced by adding the following to the web.xml configuration located in
${catalina.base}/conf/ directory

Make sure you add this entry just before the ending </web-app> tag.

  <!-- Automatisch alle requests redirecten naar https -->
  <security-constraint>
        <web-resource-collection>
                <web-resource-name>Automatic SSL Forward</web-resource-name>
                <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
                <transport-guarantee>
                        CONFIDENTIAL
                </transport-guarantee>
        </user-data-constraint>
  </security-constraint>

If you also want to redirect someone from the /* (ROOT) location to a deployed application in a tomcat subdir you might add the following to the default index.jsp inside the ${catalina.base}/webapps/ROOT directory. Make sure this is added in the top of the file before any content is send to the receiving browser. Else an error will occur. The cleanest way is to remove all content except the entry below.

<%
    String redirectURL = "/appname";
    response.sendRedirect(redirectURL);
%>

Hope this helped, any comments clarifications please post them belowšŸ™‚šŸ™‚

About Chris Gralike

Momenteel ben ik manager van de afdeling business continuity bij de zakelijke IT dienstverlener AMIS Services BV. Sinds 2003 ben ik actief in de ICT branche. Tussen 2003 en nu heb ik verschillende rollen vervuld. In de rollen: systeem- en netwerkbeheer, system engineer, servicemanager en nu practice manager ben ik in contact gekomen met uiteenlopende technologieƫn, methodologieƫn, ideeƫn, oplossingen en innovaties. Een rijke ervaring waarmee ik de klanten van Conclusion en AMIS elke dag probeer te ondersteunen. Mijn credo: 'Altijd opzoek een win-win tussen business en technologie.'

Posted on March 16, 2011, in Tomcat and tagged , , , , , , , , , , . Bookmark the permalink. 1 Comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: