I am running Tomcat 7 and am deploying a bunch of applications delivered to me by a third party as WAR files.
I'd like to force some of those apps to always use SSL. (All the "SSL" apps are in one service; other apps outside this discussion are in another service.)
I've figured out how to use conf\web.xml to redirect apps from HTTP to HTTPS, but that applies to all applications hosted by Tomcat. I've also figured out how to put web.xml in an unpacked app's web-inf directory; that does the trick for that specific app, but runs the risk of being overwritten if our vendor gives us a new war file to deploy.
I've also tried placing the web.xml file in various places under conf\service\host, or under appbase, but none seem to work.
Is it possible to redirect some apps to SSL without forcing all apps to redirect, or to put the web.xml file inside the extracted WAR file?
Here's my server.xml:
<Service name="secure">
<Connector port="80" connectionTimeout="20000" redirectPort="443"
URIEncoding="UTF-8" enableLookups="false" compression="on"
protocol="org.apache.coyote.http11.Http11Protocol"
compressableMimeType="text/html,text/xml,text/plain,text/javascript,application/json,text/css"/>
<Connector port="443"
URIEncoding="UTF-8" enableLookups="false" compression="on"
protocol="org.apache.coyote.http11.Http11Protocol"
compressableMimeType="text/html,text/xml,text/plain,text/javascript,application/json,text/css"
scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS"
keystoreFile="..." keystorePass="..." keystoreType="PKCS12"
truststoreFile="..." truststorePass="..." truststoreType="JKS"
clientAuth="false"
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA"/>
<Engine name="secure" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Host name="localhost" appBase="webapps" unpackWARs="false"
autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
</Host>
</Engine>
</Service>
<Service name="mutual-secure">
...
</Service>
The content of the web.xml files I'm playing with is:
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0"
metadata-complete="true">
<security-constraint>
<web-resource-collection>
<web-resource-name>All applications</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<description>Redirect all requests to HTTPS</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
(For conf\web.xml the security-constraint is added just before the end of the existing file, rather than create a new file.)
My webapps directory (currently) contains only the WAR files.
