Ankit Agarwal

Setup the default Admin “manager” and “host-manager” Web Applications to always use HTTPS when Tomcat allows both HTTP and HTTPS connections

Uncategorized
Ankit Agarwal
November 9, 2014

Typically when you install Tomcat, you also install the Tomcat-Admin Web Applications – manager and host-manager. These Admin Web Applications enable you to manage your own Web Applications that you are hosting on the Tomcat.

In most cases your own Web Application will allow only one of either HTTP, or HTTPS (SSL / TLS) access. However, in some cases you may need your own Web Application to allow both, i.e., some URLs can be accessed by either of HTTP or HTTPS, while some URLs can be accessed only via HTTPS.

In this case you will enable both the HTTP Connector and the HTTPS Connector, in the server.xml file in /etc/tomcat7/ or /var/lib/tomcat7/conf/. The complete configuration for this is explained in another post – Configure HTTP Access for some URLs and HTTPS Access for other URLs on Tomcat 7

An unintentional side-effect of this is that Tomcat will now also allow HTTP access to the Admin Web Applications. This could be a security risk (depending on your environment) and you may want to setup the Admin Web Applications to be accessible via HTTPS only.

In order to do this, follow these steps.

NOTE: These steps were tested on Tomcat 7 running on an Ubuntu Linux 14.04 LTS instance on AWS EC2. However, the steps below should work on any Tomcat 7 instance on any OS (after adjusting for installation directory locations).

  1. These Admin Web Applications are deployed as part of the tomcat-admin module (on Ubuntu Linux) and hence their configuration is separate from your own Web Applications deployed on the Tomcat instance
  2. The apps are deployed in the directory /usr/share/tomcat7-admin/
  3. Update the web.xml file in /usr/share/tomcat7-admin/manager/WEB-INF/
    • Particularly update the <security-constraint> section
    • Add a security-constraint
<security-constraint>
  <web-resource-collection>
    <web-resource-name>HTTPS Only</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>
  1. Update each of the other existing security-constraints by adding the following at their ends
<user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
  1. Similarly update the web.xml file in /usr/share/tomcat7-admin/host-manager/WEB-INF/
  2. Now restart your Tomcat 7 instance
    • sudo service tomcat7 restart
  3. The Admin Web Applications will now be accessible via HTTPS only