Redirect HTTP to HTTPS:PORT in Tomcat

Question

I have a running tomcat application that already have the following redirection rule from HTTP to HTTPs:

<Connector executor="tomcatThreadPool"
           port="80"
           protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="443" />

Is it possible to add an exception/rule, that a specific HTTPrequest (http://www.example.com), will be redirected to another specific address , with a port specified (say https://www.example.com:8443/test), without changing/removing the above Connector ?

@ADTC Your post is about AWS Elastic Beanstalk, this question is about Apache Tomcat. I'm confused why you think the two are related? — Frans, Jun 07 '21 at 19:25
@Frans fair point. The EB server is running Apache Tomcat. Yes it specifically applies to AWS EB, but it's still related to Tomcat that way. Someone might find it useful even in other cloud services or Tomcat installations as hints in their search for a solution. ‍♂️ If you don't find it helpful, then ignore it _(Also, this was almost 4 years ago. I've moved on to new things.)_ — ADTC, Jun 08 '21 at 02:18

score 31 · Answer 1 · edited Aug 18 '22 at 07:43

You can do it to every app deployed to tomcat by adding this to the end of tomcat_dir/conf/web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Entire Application</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <!-- auth-constraint goes here if you requre authentication -->
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

So you don't have to change it on the web.xml of your webapp.

That should work, assuming you already have https working in another port (usually 443). If you don't, make sure your tomcat_dir/conf/server.xml looks like this:

<!-- Default tomcat connector, changed the redirectPort from 8443 to 443 -->
<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

<!-- To make https work on port 443 -->
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150" SSLEnabled="true">
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
    <SSLHostConfig>
        <Certificate certificateKeyFile="/your/own/privkey.pem"
            certificateFile="/eyour/own/cert.pem"
            certificateChainFile="/your/own/chain.pem"
            type="RSA" />
    </SSLHostConfig>
</Connector>

I would strongly advise against adding ``s in `conf/web.xml`. The rules of [combining constraints](https://jakarta.ee/specifications/servlet/5.0/jakarta-servlet-spec-5.0.html#combining-constraints) will have the inverse effect on any application which already has a `` with URL pattern `/*`: the effective constraints will be the **union**, not the **intersection**. — Piotr P. Karwasz, Jun 18 '21 at 08:50

score 30 · Answer 2 · edited Aug 18 '22 at 07:40

The connector configuration you shown does not redirect a specific URL in the way you suppose.

That configuration acts if you have configured a CONFIDENTIAL transport guarantee for a web application inside that servlet container.

I mean, if you have deployed any application on that connector, where its web.xml descriptor has a security-constraint as follows:

<security-constraint>

    <web-resource-collection>
        <web-resource-name>Secured</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>

    ...

    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>

</security-constraint>

Then, Tomcat will redirect any matching url-pattern to the configured port in order to use HTTPS as guarantor of confidentiality in transport.

So, if you want to redirect a specific URL, you have to complement connector's configuration with specific application configuration.

Edit

As you suggest in your comment, it could be another step to get this configuration working. Once you have configured http connector as shown, and then configured app as I told you, you only to ensure that your Tomcat server has an HTTPS connector configured, other way redirection won't work.

To configure this HTTPS connector, you can use a configuration as following:

<Connector connectionTimeout="20000"
    acceptCount="100" scheme="https" secure="true"
    port="443" clientAuth="false" sslProtocol="TLS"  
    keystoreFile="PATH_TO_KEY_STORE"  
    keystorePass="KEY_STORE_PASS"  
    keyAlias="KEY_STORE_ALIAS"/>

This is a sample configuration where I didn't put some attributes that can be important for you as threads attrs, executors, and so on.

The most important thing is the KeyStore configuration that you need to serve HTTPS connections. Here you have the official documentation to prepare a java KeyStore for Tomcat to serve HTTPS.

Thank you for the response, i am still missing something - what changes/additions do i have to make, so that the redirection will occur as explained in the question? (including the port). If i want http://www.example.com/myApp (http) to redirect to https://www.example.com:8443/mysecondapp (https) - what contexts\connectors\web.xml changes should i make ? — iddqd, Oct 22 '15 at 07:35

score 13 · Answer 3 · answered Oct 25 '15 at 03:46

I have a running tomcat application that already have the following redirection rule from HTTP to HTTPs:

As malaguna answered, that Connector configuration is not a redirection rule. It is just a setting that is used when performing redirection triggered by <transport-guarantee>CONFIDENTIAL</transport-guarantee>.

There is no way to overwrite that setting on per-application basis.

If you need better control over such redirection, you need to implement your own Filter that will implement a redirection (if (!request.isSecure()) { response.sendRedirect(...);}), or configure a 3rd party one.

// Technically, in current Tomcat 8 code the redirection triggered by transport-guarantee is performed by org.apache.catalina.realm.RealmBase.hasUserDataPermission(...) method.

score 4 · Answer 4 · answered Oct 28 '15 at 12:28

If you use tomcat with httpd, you can use RewriteEngine.

With port specified is like the followings in the http.conf:

NameVirtualHost *:8443 #your specified port
<VirtualHost *:8443>
   ServerName www.example.com
   Redirect permanent / https://secure.example.com/
</VirtualHost>

See: RewriteHTTPToHTTPS and Redirect Request to SSL

score 1 · Answer 5 · answered Mar 27 '19 at 16:34

Putting transport-guarantee CONFIDENTIAL in conf/web.xml is good, but it does not cover the manager app and the host-manager app (Tomcat 8.5.38).

My solution is to put a valve in conf/context.xml that redirects all http requests to https.

https://bitbucket.org/bunkenburg/https-valve/src/master/

score -1 · Answer 6 · answered Jun 18 '21 at 08:28

-1

It's too late to answer, still I'm sharing my experience over the same, do the following changes in

Apache Software Foundation\Tomcat 8.5\conf\web.xml

Take a restart.

Pre-Req: configure https port and disable http port(optional[I did it])

answered Jun 18 '21 at 08:28

Pratik Gaurav

661
7
8

Check [my comment](https://stackoverflow.com/questions/33208796/redirect-http-to-httpsport-in-tomcat#comment120244545_44914427) on Mateus' answer: this can have the opposite effect of what you want for some applications. E.g. if an application requires to authenticate with an `admin` role on all pages (`/*`), your solution will allow anybody to connect to the application through HTTP and without authentication. – Piotr P. Karwasz Jun 18 '21 at 08:59
Hi @PiotrP.Karwasz It was wrong to put it as a wrong answer, as I've already disabled HTTP port on my server. – Pratik Gaurav Jun 19 '21 at 12:21
I downvoted the current version of your answer because: 1. it provides a security risk (concrete example: replace `/*` with `/html/*` and you can connect to Tomcat Manager without authentication), 2. your solution was already given by Mateus. Remark also, that it is better to add code/configuration as text not images. – Piotr P. Karwasz Jun 19 '21 at 20:34
If you've already disabled the http port, how would someone get redirected from http to https (this was the original question)? They would have to be able to connect to http to receive the redirect response. – Frans Feb 27 '23 at 14:59

score -3 · Answer 7 · answered Feb 18 '18 at 07:29

        <Connector connectionTimeout="20000" port="8081" protocol="HTTP/1.1" redirectPort="443"/>

        <Connector port="443" 
               SSLEnabled="true" 
               acceptCount="100" 
               disableUploadTimeout="true" 
               enableLookups="false" 
               maxHttpHeaderSize="8192" 
               maxThreads="550" 
               minSpareThreads="25"  
               scheme="https" 
               secure="true" 
               compression="on"
               protocol="org.apache.coyote.http11.Http11NioProtocol" 
               sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
                   <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/> 
                   <SSLHostConfig protocols="TLSv1.2" 
                                  certificateVerification="none" 
                                  ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA">
                                        <Certificate type="RSA" 
                                                     certificateKeystoreFile="/ssl/self-signed/your-keystore.jks" 
                                                     certificateKeystorePassword="123456" 
                                                     certificateKeyAlias="your-alias" /> 
                    </SSLHostConfig>
        </Connector>

Redirect HTTP to HTTPS:PORT in Tomcat

7 Answers7

Edit

Linked