Ankit Agarwal

Configure HTTP Access for some URLs and HTTPS Access for other URLs on Tomcat7

Uncategorized
Ankit Agarwal
November 9, 2014

Note

The steps below were tested on Tomcat7 running on an Ubuntu Linux 14.04 LTS instance in AWS EC2. However, these steps should work on Tomcat7 running on any OS (after adjusting for the particular installation directories).

Steps

  1. Enable the HTTPS Connector in the file server.xml in /etc/tomcat7/ or /var/lib/tomcat7/conf/
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
  maxThreads="150" scheme="https" secure="true"
  clientAuth="false" sslProtocol="TLS"
  keystoreFile="[Your Keystore Filename].jks"
  keystorePass="[Your Keystore Password]"/>
  1. Next, enable the HTTP Connector
<Connector port="8080" enableLookups="false"
  redirectPort="443" />

This instructs Tomcat to redirect all HTTP traffic on Port 8080 to the HTTPS Connector on Port 443

  1. At this point your Tomcat will allow both HTTP (Port 8080) and HTTPS (Port 443) traffic through
    • Note that the Ports were specified in the respective Connectors in the server.xml file
  2. Next you need to instruct Tomcat and tell it which URLs to redirect to HTTPS and which ones to allow using HTTP
  3. You can do this in two ways
    1. Together for all your Web Applications or Contexts deployed on your Tomcat
      1. Edit the file web.xml in /etc/tomcat7/ or /var/lib/tomcat7/conf/
      2. At the end of the file, add the following security constraints
<security-constraint>
  <web-resource-collection>
    <web-resource-name>HTTP Allowed</web-resource-name>
    <url-pattern>/API/v1/Public/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
</security-constraint>
<security-constraint>
  <web-resource-collection>
    <web-resource-name>HTTPS Only</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <!-- auth-constraint goes here if you requre authentication -->
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>
  • The first Security Constraint specifies to which URLs, HTTP access is allowed
    • We have used the url-pattern/API/v1/Public/*
    • This translates to http://[Your Domain Name OR IP Address]:[Your Port]/[Your Web Application Name]/API/v1/Public/[Any Resource Name (e.g., Servlet Name) that your Web Application is listening for]
    • You can of course use any url-pattern you like
    • Note the transport-guarantee is set to NONE implying HTTP access
  • The second Security Constraint specifies to which URLs, HTTPS access is required
    • Note the transport-guarantee is set to CONFIDENTIAL implying HTTPS access
    • The url-pattern here is /*
    • This translates to http://[Your Domain Name OR IP Address]:[Your Port]/[Your Web Application Name]/[Any Resource Name (e.g., Servlet Name) that your Web Application is listening for]
    • See this page to understand how Tomcat matches URL patterns – http://docs.roguewave.com/hydraexpress/3.5.0/html/rwsfservletug/4-3.html
    • Essentially Tomcat will do a longest URL match which means that if a URL matches http://[Your Domain Name OR IP Address]:[Your Port]/[Your Web Application Name]/API/v1/Public/* then the first security-constraint will be used instead of the second
    • You have essentially configured your Tomcat7 so that by default it uses HTTPS and only allows HTTP access to specific URLs (these URLs are your security exceptions)
  1. For each Web Application independently
    1. Add the exact same security constraints as above to your specific Web Application’s web.xml deployment descriptor file instead of the global web.xml file, which was updated above
    2. Your Web Application’s individual web.xml file is typically in the WEB-INF directory
    3. Do this for each Web Application individually
    4. The Web Applications’ whose web.xml files you do not update, will allow both HTTP and HTTPS access to all their URLs

References