Versions Compared

Old Version 2

changes.mady.by.user Mark Diggory

Saved on

compared with

New Version 3

changes.mady.by.user Charles Kiplagat

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Panel

Contents

Table of Contents
outlinetrue
stylenone

Servlet Container Security Configuration

...

Example of the Connector element for HTTP:

Code Block
XML
XML

          <Connector port="8080"
              maxThreads="6" minSpareThreads="2" maxSpareThreads="5"
              enableLookups="false" redirectPort="8443" acceptCount="100"
              debug="0" connectionTimeout="20000"
              disableUploadTimeout="true" />

Example of the Connector element for HTTPS (with keystore in /tomcat/conf/keystore):

Code Block
XML
XML

           <Connector port="8443"
              maxThreads="6" minSpareThreads="2" maxSpareThreads="5"
              enableLookups="false" disableUploadTimeout="true"
              acceptCount="100" debug="0" scheme="https" secure="true"
              sslProtocol="TLS"
              keystoreFile="/tomcat/conf/keystore"
              keystorePass="changeit"
              clientAuth="true"
              truststoreFile="/tomcat/conf/keystore"
              trustedstorePass="changeit" />

...

Here is an example of a security-constraint element that requires HTTPS on the servlet classes EditProfileServlet, LDAPServlet, PasswordServlet, RegisterServlet. I believe these are the only places where passwords are entered.

Code Block
XML
XML


<security-constraint>
   <web-resource-collection>
     <web-resource-name>Pages requiring HTTPS</web-resource-name>
     <url-pattern>/profile</url-pattern>
     <url-pattern>/register</url-pattern>
     <url-pattern>/password-login</url-pattern>
     <url-pattern>/ldap-login</url-pattern>
   </web-resource-collection>
   <user-data-constraint>
     <transport-guarantee>CONFIDENTIAL</transport-guarantee>
   </user-data-constraint>
 </security-constraint>

...