How to force SSL/HTTPS access to a cuba application on Tomcat 8?

ericraskin · January 19, 2017, 8:25pm

I have a single war cuba application deployed to Tomcat 8. The server is already SSL-enabled and configured. I want to force all access to my application to run over HTTPS. I tried adding this to my modules/web/WEB-INF/web.xml file:


<security-constraint>
    <web-resource-collection>
        <web-resource-name>prm</web-resource-name>
        <url-pattern>/prm/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

However, I can still access my application using HTTP (www.mysite.com/prm/). It does not indicate redirection to HTTPS.

I also tried changing the url-pattern “/prm/*” to “/*”. No difference. I can still access via HTTP.

What is the correct way to force HTTPS access on Tomcat 8 for a Cuba app?

artamonov · January 24, 2017, 9:52am

Hi,

please follow steps described in the manual of Tomcat 8: Apache Tomcat 8 (8.0.53) - SSL/TLS Configuration HOW-TO

You have to enable SSL/TLS in the server.xml config file and import SSL certificate.

ericraskin · January 24, 2017, 2:19pm

Thanks. The server is already SSL enabled. That hasn’t been the issue. I was just trying to figure out how to make sure that my webapp is ONLY accessed via SSL. It turns out that, since I had this set up as a single war application, I had to make my changes in the single-war-web.xml file and not the web.xml file.

I’m still having some trouble with port mapping, but that’s because I’m behind a firewall and mapping the standard ports to internal ports on an internal server. The Tomcat SSL redirect is using the internal port, but that’s not actually visible to the browser. I have to figure out how to get around that next.

artamonov · January 24, 2017, 3:19pm

Oh, sorry, you have not mentioned single war deployment. You are right, in case of single war your web.xml is not used for deployment.

ericraskin · January 24, 2017, 3:24pm

Yep – my mistake. Now I know the difference.

ericraskin · January 25, 2017, 1:20pm

I’m pleased to report that a small configuration change to my Tomcat server got this working. I had my redirectPort set to the local Tomcat port (8443). I changed it to the external SSL Port (443) and now the automatic redirect to SSL is working properly for my app.

Maybe this will help somebody else…