All geek questions in one place

How to check SSL protected URL

I am new to the IT industry. The test script is similar to what I need to check if the login page is secure or not?

In general, once we visited some sites that showed a pop-up window for SSL security. Therefore, I need to check the same script in my application.

I have a small web application where I have a login.html page. Basically, I can run my web application using Maven and the server is Tomcat. The command I run is mvn tomcat7:run and the URL using http://localhost:8080/login.html . It works great.

But I want to change my URL from http to https , and when I get access to my URL, i.e. https://localhost:8080/login.html , then it should pop up with an SSL security warning, and I have to accept it.

If my question is still not clear, feel free to comment.

After searching the net, I did some workarounds, but didn't work. What I tried:

My HTML Page

 <!DOCTYPE html> <html> <head> </head> <body> <h1>Login App</h1> <div id="emptyDiv"></div> <div id="description"></div> <!--container start--> <div id="container"> <div id="container_body" style="background-color:#BBD700;float:center;"> <!--Form start--> <div id="form_name"> <div class="firstnameorlastname"> <form > &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <div id="errorBox"></div> First Name : <input id="firstName" type="text" name="Name" value="" > &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; Last name : <input id="lastName" type="text" name="LastName" value="" > </div> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <div id="email_form"> Email Id: <input style="position:right" type="text" name="Email" value="" > </div> <input id="sub_form" type="submit" value="Submit"> </form> </div> <!--form ends--> </div> </div> <!--container ends--> </body> </html>

web.xml

 <pre><code><!DOCTYPE web-app PUBLIC <span style="color: red;">"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"</span> <span style="color: red;">"http://java.sun.com/dtd/web-app_2_3.dtd"</span>> <web-app> <!-- <security-constraint> <web-resource-collection> <web-resource-name>MyEducationApp</web-resource-name> <url-pattern>/login.html</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Non-SecureResource</web-resource-name> <url-pattern>/login.html</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> --> <display-name>Login WebApp</display-name> </web-app> </span></code></pre>

Maven plugin used

  <!-- Maven Tomcat Plugin --> <plugin> <groupId>org.apache.tomcat.maven</groupId> <artifactId>tomcat7-maven-plugin</artifactId> <version>2.2</version> <configuration> <url>https://localhost:8080/manager/text</url> <server>localhost</server> <path>/</path> <username>admin</username> <password>aRfalah</password> </configuration> <executions> <execution> <id>tomcat7-run</id> <goals> <goal>run-war-only</goal> </goals> <phase>pre-integration-test</phase> <configuration> <fork>true</fork> </configuration> </execution> <execution> <id>tomcat7-shutdown</id> <goals> <goal>shutdown</goal> </goals> <phase>post-integration-test</phase> </execution> </executions> </plugin>
+5
source share
5 answers

SSL / TLS encryption for your website is what you can do in your web application. This is done through the configuration of your web server.

See Apache Tomcat 7, SSL HOW-TO Setup .

Additional information (repeated from my comment on OQ, as comments are not so noticeable):

You do not need to buy a certificate from one of the certification authorities (CA) to obtain a certificate.

  • StartSSL offers 1-year SSL / TLS + S / MIME for free. In another domain they offer now:
    • UNLIMITED 2-year Extended Validation SSL certificates for free - up to 99 domains
    • UNLIMITED Number of 2-year Organization SSL Certificate Certificates for FREE - Multi-Domain and Group Invitation
    • FREE number of 2-year organization client certificate certificates
  • You can easily create your own certificates with OpenSSL (thus being your own CA) and associate this certificate with your https:// site. If your visitors accept your certificate in a dialog box that appears in their browser, it is stored in the browser certificate store and the dialog does not appear again until the expiration date of the certificate is reached.
+6
source

This is what you need to do:

  • Create a self-signed certificate and install it in Tomcat (Gerold Broser post has a link)
  • By default, the SSL port is disabled in Tomcat, enable it (same link as bove)
  • Change your URL to https://local_host:8443/login.html (the default SSL port for Tomcat)
  • Make a request through your browser, you should see a page / message depending on the browser, saying that the certificate is not in order.

If you want this page to be accessible only through SSL, see the Tim Funk post and edit the web.xml application.

+5
source

A common practice is to check with request.isSecure () whether the request came through https or not. If not, send the redirect to the browser to the same URL, but with the https protocol prefix.

Here is an example servlet filter:

 import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; public class SecurityFilter implements Filter { @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletResponse servletResponse = (HttpServletResponse) response; if (!request.isSecure()) { HttpServletRequest servletRequest = (HttpServletRequest) request; String target = "https://" + request.getLocalName() + servletRequest.getRequestURI(); servletResponse.sendRedirect(target); return; } // tell the browser to use only https for accessing this domain for the next 30 days servletResponse.addHeader("Strict-Transport-Security", "max-age=" + (30 * 24 * 60 * 60)); chain.doFilter(request, response); } @Override public void init(FilterConfig filterConfig) throws ServletException { // not needed } @Override public void destroy() { // not needed } }

To enable the filter worldwide, add the following to you web.xml:

 <filter> <filter-name>securityFilter</filter-name> <filter-class>SecurityFilter</filter-class> </filter> <filter-mapping> <filter-name>securityFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

The string servletResponse.addHeader("Strict-Transport-Security", ... is optional. If you put it in the code, your browser will never try to connect to http again over the next 30 days, but it will use https itself. This will happen if your browser supports the HSTS RFC6797 standard . It makes sense if your application should only be accessible via https. However, I think this is only possible with the standard https port 443. See below.

There is a tiny trap in your current tomcat configuration. Cannot start http and https on the same port. You need to have two separate sockets for http and one for https.

For this to happen, add the maven tomcat plugin configuration:

 <!-- Maven Tomcat Plugin --> <plugin> <groupId>org.apache.tomcat.maven</groupId> <artifactId>tomcat7-maven-plugin</artifactId> <version>2.2</version> <configuration> <httpsPort>8443</httpsPort> . . .

You also need to add the correct protocol for the redirection purpose in the SecurityFilter code (or make it a parameter):

  String target = "https://" + request.getLocalName() + ":8443" + servletRequest.getRequestURI();

Port 8080 and 8443 are for experimental local web servers only, real applications should be on ports 80 and 443.

What is it. Good luck and good luck!

+4
source

To require HTTPS and automatically redirect your servlet engine to https, you are on the right track with guaranteed transportation

So you probably want

 <security-constraint> <web-resource-collection> <web-resource-name>Protected Context</web-resource-name> <url-pattern>/login.html</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

The above will redirect /login.html for your webapp to https. Add the url as needed.

More details: http://wiki.apache.org/tomcat/FAQ/Security#Q4 and http://marc.info/?l=tomcat-user&m=104951559722619&w=2

+3
source

From the original question above:

The command I run is mvn tomcat7:run and the URL using http://localhost:8080/login.html . It works great. But I want to change my url from http to https and when i get access to my url ie https://localhost:8080/login.html

Are you sure about 'http://localhost:8080' and 'https://localhost:8080' ?

This basically means that you are requesting both SSL and non-SSL traffic from the same port. Typically, Tomcat performs HTTP with 8080 and HTTPS with 8443.

Most of the answers here will work for you, but first make sure you enable the SSL connector in server.xml .

+3
source

Source: https://habr.com/ru/post/1204970/

More articles:


All Articles