0

I want to forcefully redirect a site to a SSL certified site. I have added these config within my server.xml tomcat config.

<Connector port="8080" protocol="HTTP/1.1" 
           connectionTimeout="20000" 
           enableLookups="false"
           redirectPort="8443" />

<Connector port="8443" protocol="HTTP/1.1"
    SSLEnabled="true" maxHttpHeaderSize="8192"
    maxThreads="150" minSpareThreads="25"
    maxSpareThreads="75" enableLookups="false"
    disableUploadTimeout="true" acceptCount="100"
    scheme="https" secure="true"
    sslProtocol="TLS" keystoreFile="conf/{keystoreName}.jks"
    keystorePass="{KeyStorePass}" />

But I ended up with viewing my site in both non-SSL and SSL certified site. How can I restrict and redirect non-SSL certified to SSL one?

EDIT:

Here's the portion of my web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>HTTPSOnly</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>HTTPSOrHTTP</web-resource-name>
        <url-pattern>*.ico</url-pattern>
        <url-pattern>/img/*</url-pattern>
        <url-pattern>/css/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>
roybalderama
  • 1,650
  • 21
  • 38
  • You have to configure this in your web.xml. See [this Stackoverflow question](http://stackoverflow.com/questions/7790141/security-constraint-configuration-inside-web-xml-for-tomcat). – Michael-O May 28 '13 at 08:07
  • I already configured my web.xml with that, only image and JavaScript can be access with both http and https. Please check my edited question. – roybalderama May 28 '13 at 08:14
  • Attention, this could lead to a problem. If you access a unsecured resource from secured one like images from HTML, the browser may emit a warning. Try to avoid that. Have you tried without the second constraint. – Michael-O May 28 '13 at 08:38

0 Answers0