Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Force Tomcat to redirect all HTTP traffic to HTTPS.
<!--
To force Tomcat to redirect and revert all requested HTTP traffic over to HTTPS, configure the `conf/web.xml` file with the below block.
This should be placed at the very end of the file near and above the ending `</webapp>` tag:
-->
<security-constraint>
<web-resource-collection>
<web-resource-name>Automatic Forward to HTTPS/SSL
</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
@toddkaufmann

This comment has been minimized.

Copy link

@toddkaufmann toddkaufmann commented Apr 17, 2018

that should be: ".. the ending </web-app> tag"
(there's a dash in there)

@ashokkumar2003

This comment has been minimized.

Copy link

@ashokkumar2003 ashokkumar2003 commented May 24, 2018

Not working with tomcat8 if we are using running under aws ALB. and ssl on ALB

@sunilm2

This comment has been minimized.

Copy link

@sunilm2 sunilm2 commented Jun 4, 2018

Hi @ashokkumar2003, any solution for ALB with SSL?

@albertus82

This comment has been minimized.

Copy link

@albertus82 albertus82 commented Oct 31, 2018

Some applications don't work correctly with that security-constraint, so I followed a completely different approach:

  • Edit conf/server.xml and add the following element into <Host name="localhost" ...>:
<Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
  • Create the file conf/Catalina/localhost/rewrite.config:
RewriteCond %{HTTPS} =off
RewriteRule ^(.*) https://%{HTTP_HOST}:443$1 [R=301]
@Bill-Stewart

This comment has been minimized.

Copy link

@Bill-Stewart Bill-Stewart commented Nov 19, 2018

@albertus82 - I found that the <security-constraint> technique listed here doesn't work with the Waffle libraries (Windows) - but using the rewrite valve does work. Thank you!

@zhonghuasheng

This comment has been minimized.

Copy link

@zhonghuasheng zhonghuasheng commented Mar 15, 2019

works fine, thx

@bunkenburg

This comment has been minimized.

Copy link

@bunkenburg bunkenburg commented Mar 27, 2019

This works, but it does not cover the manager app and the host-manager app (Tomcat 8.5.38).
It's better to put a valve into conf/context.xml that redirects all http requests to https.
https://bitbucket.org/bunkenburg/https-valve/src/master/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.