29

In order to do an SSL Configuration testing under Tomcat, is this all mandatory?

This below line is taken from a website:

In order to do this for our test, take any application which has already been deployed successfully in Tomcat and first access it through http and https to see if it works fine. If yes, then open the web.xml of that application and just add this XML fragment before web-app ends i.e </web-app>:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>securedapp</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Is this configuration is mandatory to do inside a web.xml file ??

kenorb
  • 155,785
  • 88
  • 678
  • 743
Pawan
  • 31,545
  • 102
  • 256
  • 434
  • 1
    That block can go in `${CATALINA_HOME}/conf/web.xml` if you want to apply it to everything. – Paul Dec 06 '17 at 15:21

2 Answers2

47

No, it's not necessary. It means that your web application only available through HTTPS (and not available through HTTP).

If you omit the <transport-guarantee>CONFIDENTIAL</transport-guarantee> tag (or the whole <security-constraint>) your application will be available through both HTTP and HTTPS. If your web.xml contains <transport-guarantee>CONFIDENTIAL</transport-guarantee> Tomcat automatically redirects the requests to the SSL port if you try to use HTTP.

Please note that the default Tomcat configuration does not enable the SSL connector, you have to enable it manually. Check the SSL Configuration HOW-TO for the details.

palacsint
  • 28,416
  • 10
  • 82
  • 109
  • 1
    is it possible that port number remains the same and only it redirects to https? – shzyincu Apr 05 '17 at 10:22
  • i have url https://pen.srv.co.uk:8082/pentaho/Home, it works fine but i want is, if user try to achieve the non https version of the url he should be redirected to the https from http on same port 8082, is it possible? – shzyincu Apr 05 '17 at 10:36
  • @shzyincu: Sorry, I can't help you about that, I guess you should ask that as a new question. – palacsint Apr 05 '17 at 13:49
5

If you check closer, the blog explains that further:

Any resource in your application can be accessed only with HTTPS be it Servlets or JSP’s. The term CONFIDENTIAL is the term which tells the server to make the application work on SSL. If you want to turn the SSL mode for this application off then just turn don’t delete the fragment. Just put the value as NONE instead of CONFIDENTIAL.

kenorb
  • 155,785
  • 88
  • 678
  • 743