7 Replies Latest reply on Feb 7, 2002 8:14 AM by Iulian State

    SSL Redirection with Bundle

    Thomas Clouser Newbie

      All,

      I have successfully configured the JBoss 2.4.4 + Tomcat 4.0.1 Bundle to use SSL on my WinNT box (both SSL and non-SSL ports working). But I have not found a way to get the EmbeddedCatalinaServiceSX MBean to do port redirection (which means, if I request a web application resource which has a <transport-guarantee> of CONFIDENTIAL over http, it should redirect the request to https).

      With tomcat standalone, this is handled by including the "redirectPort" attribute on the non-ssl connection definition.

      Has anyone been able to get port redirection to work?

      TIA,

      TC.

      PS There is a a lengthy discussion of this on the mailing list at sourceforge if you desire more details.

        • 1. Re: SSL Redirection with Bundle
          Alain Coetmeur Newbie

          I've tried to solve your kind of problem,
          ie to have an HTTP catalina connector that
          automatically redirect to an HTTPS
          catalina connector, whenever the
          web-app/security-constraint/
          user-data-constraint/transport-guarantee
          is set to CONFIDENTIAL or INTEGRAL

          I have patched catalina MBean so that it support
          a redirectPort parameter...

          I have 2 similar pair of HTTP/HTTPS connectors,

          the first pair, associate the usual HTTP
          connector, configured as usual, with a redirectport
          to a connector configured in a "Config" XML attribute...

          the second pair of connectors are configured purely
          in the Config XML attribute, the HTTP connector pointing
          on the HTTPS connector

          each of the 4 connectors works perfectly,
          except that the redirection HTTP->HTTPS
          when transport-guarantee is CONFIDENTIAL
          does not works at all...

          I'm investigating further,
          but I'm afraid this is a catalina problem...
          maybe something about the "Embedded" class
          which is not used by default on standalone tomcat4...

          my jboss.jcml contains:

          <!-- Embedded Tomcat 4.x - JBossSX SecurityDomain (JaasSecurityDomain) -->




          ../conf/tomcat.jks
          changeit



          <!-- Uncomment to add embedded catalina service -->

          80
          http
          443
          999















          my web.xml contains

          <web-app>
          <welcome-file-list>
          <welcome-file>index.jsp</welcome-file>
          <welcome-file>Login_utilisateur.jsp</welcome-file>
          </welcome-file-list>
          <!-- a mettre ABSOLUMENT avant les ejb-ref... l'ordre importe !!! -->
          <security-constraint>
          <web-resource-collection>
          <web-resource-name>protected-lilafinance</web-resource-name>
          <url-pattern>/*</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
          </web-resource-collection>
          <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
          </user-data-constraint>
          </security-constraint>
          ...

          • 2. Re: SSL Redirection with Bundle
            Thomas Clouser Newbie

            The answer...

            you have to configure the support of HTTPS URL...
            ie add to jboss.properties the line:
            #JSSE https URL support
            java.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol


            A big thanks to Alain Coetmeur for nailing this one.

            TC

            • 3. Re: SSL Redirection with Bundle
              Benjamin Chi Newbie

              The redirect from non-secured port 8080 to secured port 8443 does not work. I got this exception:

              [INFO,EmbeddedCatalinaServiceSX] StandardHost[localhost]: MAPPING configuration error for request URI
              [ERROR,EmbeddedCatalinaServiceSX] HttpProcessor[8080][4] process.invoke
              java.lang.NullPointerException
              at org.apache.catalina.valves.ErrorDispatcherValve.status(ErrorDispatcherValve.java:280)
              at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:180)
              at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170)
              at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
              at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
              at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:163)
              at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
              at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
              at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
              at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java:1011)
              at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1106)
              at java.lang.Thread.run(Thread.java:484)

              • 4. Re: SSL Redirection with Bundle
                Alain Coetmeur Newbie

                BINGO, it works !!!!

                the solution seems strange, but setting
                catalina to debuglevel=2 helped much...

                the problem was that the https URL
                were not supported but the URL class ...
                the solution is written in JSSE doc :
                just add this to jboss.properties
                or add the equivalent
                -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
                option


                #JSSE
                #https URL support
                java.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol

                By the way note, that as usual space at the end of line
                in a property file is important...
                it have cause problems to me 3 times and I've lost hours on such subtleties...

                • 5. Re: SSL Redirection with Bundle
                  Alain Coetmeur Newbie

                  I don't fire what is the problem but, as it works for
                  me this can be a minor error...

                  JSSE installation is not trivial:
                  - one have to add the JSSE provider
                  in jre/lib/security/java.security
                  I have this in mine... (jsse and jce)
                  #
                  # List of providers and their preference orders (see above):
                  #
                  security.provider.1=sun.security.provider.Sun
                  security.provider.2=com.sun.rsajca.Provider
                  #added for jsse
                  security.provider.3=com.sun.net.ssl.internal.ssl.Provider
                  #added for jce
                  security.provider.4=com.sun.crypto.provider.SunJCE

                  -the other problem is the one I've cited
                  earlier (the HTTPS URL handler to configure),
                  but I think you have used the trick...

                  however the message I see seems to accuse
                  the web.xml (or application.xml in a .ear)
                  deployment file...

                  try to put jboss in debug mode,
                  this trigger the catalina debugLevel#2
                  which will give you much more info...

                  note that I've also added a patch to control
                  catalina debuglevel from the jboss.jcml...
                  I should publish my changes soon...

                  hope this helps



                  >The redirect from non-secured port 8080
                  > to secured port 8443 does not work. I got this exception:
                  >[INFO,EmbeddedCatalinaServiceSX] StandardHost[localhost]: MAPPING configuration error for request URI
                  >[ERROR,EmbeddedCatalinaServiceSX] HttpProcessor[8080][4] process.invoke
                  >java.lang.NullPointerException
                  at org.apache.catalina.valves.ErrorDispatcherValve.status(ErrorDispatcherValve.java:280)

                  • 6. Re: SSL Redirection with Bundle
                    Benjamin Chi Newbie

                    Acutally it works for me for redirecting from port 8080 to 8443 if I type in the default login page configured in the web.xml on the URL. e.x. If I type URL "http://localhost:8080/secured/login.jsp" it'll redirect to "https://localhost:8443/secured/login.jsp", but if I type in only "http://localhost:8080/secured/" then the server throws that null pointer exception. But if I were to use the default ports such as 80 and 443 then both cases works fine.