Where to place web.xml outside WAR file for secure redirect?

Where to place web.xml outside WAR file for secure redirect? - If a page has internal and external outgoing links to redirecting URLs, it’s returning 3xx (301, 302, etc.) HTTP status codes standing for redirection. This issue means that the page does not exist on a permanent or temporary basis. It appears on most of the popular web browsers, usually caused by a misconfigured website. However, there are some steps you can take to ensure the issue isn’t on your side. You can find more details about redirecting URLs by reading the Google Search Central overview. In this article, we’ll go over how you can fix the Where to place web.xml outside WAR file for secure redirect? error on your web browser. Problem :


I am running Tomcat 7 and am deploying a bunch of applications delivered to me by a third party as WAR files.



I'd like to force some of those apps to always use SSL. (All the "SSL" apps are in one service; other apps outside this discussion are in another service.)



I've figured out how to use confweb.xml to redirect apps from HTTP to HTTPS, but that applies to all applications hosted by Tomcat. I've also figured out how to put web.xml in an unpacked app's web-inf directory; that does the trick for that specific app, but runs the risk of being overwritten if our vendor gives us a new war file to deploy.



I've also tried placing the web.xml file in various places under confservicehost, or under appbase, but none seem to work.



Is it possible to redirect some apps to SSL without forcing all apps to redirect, or to put the web.xml file inside the extracted WAR file?



Here's my server.xml:



<Service name="secure">
    <Connector port="80" connectionTimeout="20000" redirectPort="443"
        URIEncoding="UTF-8" enableLookups="false" compression="on"
        protocol="org.apache.coyote.http11.Http11Protocol"
        compressableMimeType="text/html,text/xml,text/plain,text/javascript,application/json,text/css"/>
    <Connector port="443"
        URIEncoding="UTF-8" enableLookups="false" compression="on"
        protocol="org.apache.coyote.http11.Http11Protocol"
        compressableMimeType="text/html,text/xml,text/plain,text/javascript,application/json,text/css"
        scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS"
        keystoreFile="..." keystorePass="..." keystoreType="PKCS12" 
        truststoreFile="..." truststorePass="..." truststoreType="JKS"
        clientAuth="false" 
        ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA"/>
    <Engine name="secure" defaultHost="localhost">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm" 
            resourceName="UserDatabase"/>
        <Host name="localhost" appBase="webapps" unpackWARs="false" 
            autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
        </Host>
    </Engine>
</Service>
<Service name="mutual-secure">
    ...
</Service>


The content of the web.xml files I'm playing with is:



<web-app 
    xmlns_xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi_schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    version="3.0"
    metadata-complete="true">
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>All applications</web-resource-name>
                <url-pattern>/*</url-pattern>
            </web-resource-collection>
            <user-data-constraint>
                <description>Redirect all requests to HTTPS</description>
                <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
    </security-constraint>
</web-app>


(For confweb.xml the security-constraint is added just before the end of the existing file, rather than create a new file.)



My webapps directory (currently) contains only the WAR files.


Solution :

I'm not aware of additional locations where you can have web.xml files for Tomcat.



One thing that I do is run Tomcat as a secondary server on port 8080 behind Apache. I use mod_proxy to reverse proxy domains from Apache port 80 to Tomcat port 8080. This way I can put all the SSL onto Apache and configure Apache for the non-SSL redirects using virtual hosts. That way the logic for the SSL is configured separately and outside the control of the webapps.


We hope that this article has helped you resolve the redirects, https, tomcat error in your web browsers. Enjoy browsing the internet uninterrupted!

Comments

Post a Comment

Popular posts from this blog

How to redirect to any domain [duplicate]

How to redirect to any domain [duplicate] - If a page has internal and external outgoing links to redirecting URLs, it’s returning 3xx (301, 302, etc.) HTTP status codes standing for redirection. This issue means that the page does not exist on a permanent or temporary basis. It appears on most of the popular web browsers, usually caused by a misconfigured website. However, there are some steps you can take to ensure the issue isn’t on your side. You can find more details about redirecting URLs by reading the Google Search Central overview. In this article, we’ll go over how you can fix the How to redirect to any domain [duplicate] error on your web browser.  Problem : This question already has an answer here : What are the most commonly used and basic Apac...
Read more

"302 found" for index page bad for SEO?

"302 found" for index page bad for SEO? - If a page has internal and external outgoing links to redirecting URLs, it’s returning 3xx (301, 302, etc.) HTTP status codes standing for redirection. This issue means that the page does not exist on a permanent or temporary basis. It appears on most of the popular web browsers, usually caused by a misconfigured website. However, there are some steps you can take to ensure the issue isn’t on your side. You can find more details about redirecting URLs by reading the Google Search Central overview. In this article, we’ll go over how you can fix the "302 found" for index page bad for SEO? error on your web browser.  Problem : I'm having trouble finding a clear answer on this. I'm optimizing someone else's website, and a tool pointed out that the index page returns a "302 found" (it redirects to a long URL with cookie info). Is this bad for the index page SEO to have a 302 redirect? S...
Read more

Create redirect from url like www.example.us/?p=100&option=

Create redirect from url like www.example.us/?p=100&option= - If a page has internal and external outgoing links to redirecting URLs, it’s returning 3xx (301, 302, etc.) HTTP status codes standing for redirection. This issue means that the page does not exist on a permanent or temporary basis. It appears on most of the popular web browsers, usually caused by a misconfigured website. However, there are some steps you can take to ensure the issue isn’t on your side. You can find more details about redirecting URLs by reading the Google Search Central overview. In this article, we’ll go over how you can fix the Create redirect from url like www.example.us/?p=100&option= error on your web browser.  Problem : I am switching CMS and have about 600 URLs that need to get redirected to the new scheme. The URL on the old site looks like the following on my test server: www.example.us/?p=100&option=com_wordpress&Itemid=619 The new URL scheme will exist as: www.exa...
Read more