Skip to content

Instantly share code, notes, and snippets.

@jtgasper3

jtgasper3/web.xml

Created April 11, 2014 21:01
Show Gist options
  • Star 7 You must be signed in to star a gist
  • Fork 4 You must be signed in to fork a gist
  • Save jtgasper3/10501274 to your computer and use it in GitHub Desktop.
Save jtgasper3/10501274 to your computer and use it in GitHub Desktop.
Download ZIP
Force Tomcat to redirect all HTTP traffic to HTTPS.
Raw
web.xml
<!--
To force Tomcat to redirect and revert all requested HTTP traffic over to HTTPS, configure the `conf/web.xml` file with the below block.
This should be placed at the very end of the file near and above the ending `</webapp>` tag:
-->
<security-constraint>
<web-resource-collection>
<web-resource-name>Automatic Forward to HTTPS/SSL
</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
@toddkaufmann
Copy link

that should be: ".. the ending </web-app> tag"
(there's a dash in there)

@ashokkumar2003
Copy link

Not working with tomcat8 if we are using running under aws ALB. and ssl on ALB

@sunilm2
Copy link

sunilm2 commented Jun 4, 2018

Hi @ashokkumar2003, any solution for ALB with SSL?

@albertus82
Copy link

Some applications don't work correctly with that security-constraint, so I followed a completely different approach:

  • Edit conf/server.xml and add the following element into <Host name="localhost" ...>:
<Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
  • Create the file conf/Catalina/localhost/rewrite.config:
RewriteCond %{HTTPS} =off
RewriteRule ^(.*) https://%{HTTP_HOST}:443$1 [R=301]

@Bill-Stewart
Copy link

@albertus82 - I found that the <security-constraint> technique listed here doesn't work with the Waffle libraries (Windows) - but using the rewrite valve does work. Thank you!

@zhonghuasheng
Copy link

works fine, thx

@bunkenburg
Copy link

This works, but it does not cover the manager app and the host-manager app (Tomcat 8.5.38).
It's better to put a valve into conf/context.xml that redirects all http requests to https.
https://bitbucket.org/bunkenburg/https-valve/src/master/

@musselabortion
Copy link

musselabortion commented Oct 14, 2021
edited

Some applications don't work correctly with that security-constraint, so I followed a completely different approach:

* Edit `conf/server.xml` and add the following element into `<Host name="localhost" ...>`:

<Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />

* Create the file `conf/Catalina/localhost/rewrite.config`:

RewriteCond %{HTTPS} =off
RewriteRule ^(.*) https://%{HTTP_HOST}:443$1 [R=301]

Hi! I am using the rewrite valve but can't get it to work. It loads and rules is applied (at least in the logs it shows as applied), but when I run IP:PORT in my browser it does not replace anything. Any ideas? I have been researching the whole internet searching for overwritting http pattern but I only see your method.

I think it may have something to do with the server.xml config, I am not using the localhost interface to run tomcat, how can I check that the Rewrite valve is being applied to all hosts? Im using a vm running on a remote server.
Thanks in advance :)

@Luis-Shalom
Copy link

Thanks, that's great, problem solved

@fakhriyusifli
Copy link

Thank you very much. it solved my problem that i have been looking for weeks :D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment