Tomcat 7 HTTP to HTTPS redirect

Intro


The following article shows how to easily redirect HTTP to HTTP in Tomcat 7 servlet container that it always requires secure connection. It was assumed that the following TCP ports are used for that purpose:
  • 8080: for HTTP
  • 8443: for HTTPS 
Please, follow the exact steps as described below to get it done.

Configuration


1) Update server.xml configuration file in Tomcat home directory and change the following part of its configuration:

<Connector port="8080" protocol="HTTP/1.1"

           connectionTimeout="20000"
           URIEncoding="UTF-8"
           redirectPort="8443" />

to what's shown below:

<Connector port="8080" enableLookups="false"
           redirectPort="8443" />

2) Update web.xml configuration file in Tomcat home directory and add the following content into the end before the closing </web-app> markup:

<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you requre authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

3) Restart Tomcat servlet container.

You're done! The Tomcat always requires secure connection now.

Related topics:


http://tkurek.blogspot.com/2013/07/how-to-secure-tomcat-7-with-ssl-tls.html

28 comments:

  1. Is it possible to user a different url-pattern instead of /* ? Let's say I'd like to secure only /docs directory rather than the hole site. I made some tests using the syntax below but it doesn't seem to work.

    /docs/*

    ReplyDelete
    Replies
    1. @Unknown:

      I'm not sure whether it's doable. Have you thought about putting Apache in front of Tomcat?

      Delete
  2. Hello,

    Just wanted to say many thanks!!. This worked for me.

    Sincerely,
    j

    ReplyDelete
  3. Worked for me... Thanks

    ReplyDelete
  4. it work for me. thank Tytus Kurek

    ReplyDelete
  5. Worked fine so far...thanks!!

    ReplyDelete
  6. Hi,

    I tried but got below errors.
    "The ResourceConfig instance does not contain any root resource classes."

    ReplyDelete
  7. How this can be combined with basic authentication?

    ReplyDelete
    Replies
    1. @AnonymousOctober 12, 2015 at 5:21 PM:
      Basic Authentication is managed by the web app (or whatever client/server tools you're using). You can think of SSL / HTTPS as being a bubble that wraps around the connection between the server and the client (for encryption)... but it does not define how you send / manage credentials and authentication.

      Delete
  8. Thank you. It works for me too.

    ReplyDelete
  9. hello, I learn redirect in your blog, can I reference there in my blog?

    ReplyDelete
  10. Works for me to set SafeQ server work on https.
    Thanks!

    ReplyDelete
  11. Thank you! It really works.

    ReplyDelete
  12. Thank you for the auspicious writeup. It in fact was a amusement account
    it. Look advanced to far added agreeable from you!
    By the way, how could we communicate?

    ReplyDelete
  13. This comment has been removed by the author.

    ReplyDelete
  14. Hi it doesn't works for me i need help.
    if i hit the url
    it give responce on browser
    and the url changed automatically to

    ReplyDelete
    Replies
    1. URL https://localhost:8080/
      responce This site can’t be reached

      Delete
  15. hello
    how we can add header security in tomcat apache 7.0.79
    need to add Content security policy and hsts

    ReplyDelete
  16. http listener rules had ROOT instead of default {path} hence why redirection happened. Right now it is fixed and I don't see ROOT in the http URL redirecting to https.

    ReplyDelete
  17. Hi this does a redirect to https, but appends :8443 at the end of the domain part of the URL.

    Can I fix that

    ReplyDelete