tomcat ssl重定向循环

Question

我的应用程序在tomcat中使用ssl，当我使用端口8080时运行良好，当我访问http://localhost:8080时，它重定向到https://localhost:8443。

但是当我使用非 8080 端口（8081,8082 等）并访问 http://localhost:8081（或 http://localhost:8082 等）时，它会无限重定向循环到 http://localhost:8081（或 http://localhost:8082 等） )

这里是带有 8080 的 server.xml

<?xml version='1.0' encoding='utf-8'?>

<Server port="8005" shutdown="SHUTDOWN">

  <!--APR library loader. Documentation at /docs/apr.html -->
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
  <Listener className="org.apache.catalina.core.JasperListener" />
  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
  <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />

  <!-- Global JNDI resources
       Documentation at /docs/jndi-resources-howto.html
  -->
  <GlobalNamingResources>
    <!-- Editable user database that can also be used by
         UserDatabaseRealm to authenticate users
    -->
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>


  <Service name="Catalina">

    <Connector port="8080" protocol="HTTP/1.1" 
               connectionTimeout="20000" 
               redirectPort="8443" />


            <Connector SSLEnabled="true" clientAuth="false" keyAlias="key" keystoreFile="webapps/ROOT/META-INF/my.keystore" keystorePass="pass" maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>   


    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />


    <Engine name="Catalina" defaultHost="localhost">

      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             resourceName="UserDatabase"/>

      <!-- Define the default virtual host
           Note: XML Schema validation will not work with Xerces 2.2.
       -->
      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true"
            xmlValidation="false" xmlNamespaceAware="false">


      </Host>
    </Engine>
  </Service>
</Server>

这里我的 server.xml 带有 8081

    <?xml version='1.0' encoding='utf-8'?>

<Server port="8005" shutdown="SHUTDOWN">

  <!--APR library loader. Documentation at /docs/apr.html -->
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
  <Listener className="org.apache.catalina.core.JasperListener" />
  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
  <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />

  <!-- Global JNDI resources
       Documentation at /docs/jndi-resources-howto.html
  -->
  <GlobalNamingResources>
    <!-- Editable user database that can also be used by
         UserDatabaseRealm to authenticate users
    -->
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>


  <Service name="Catalina">

    <Connector port="8081" protocol="HTTP/1.1" 
               connectionTimeout="20000" 
               redirectPort="8443" />


            <Connector SSLEnabled="true" clientAuth="false" keyAlias="key" keystoreFile="webapps/ROOT/META-INF/my.keystore" keystorePass="pass" maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>   


    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />


    <Engine name="Catalina" defaultHost="localhost">

      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             resourceName="UserDatabase"/>

      <!-- Define the default virtual host
           Note: XML Schema validation will not work with Xerces 2.2.
       -->
      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true"
            xmlValidation="false" xmlNamespaceAware="false">


      </Host>
    </Engine>
  </Service>
</Server>

谁能帮帮我？

我正在使用 tomcat 6

Answer 1

要尝试的另一件事是在默认 web.xml 中为所有应用程序强制启用 HTTPS（它应该在 server.xml 旁边的 tomcat/conf 文件夹中）， 通过添加以下内容：

<security-constraint>
        <web-resource-collection>
        <web-resource-name>Protected Context</web-resource-name>
                <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
                    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
</security-constraint>

注意： 以下内容适用于启用 ARP 的 Tomcat 实例（即大多数基于 Linux 的安装），但由于 OP 正在运行基于 Windows 的 Tomcat，且 ARP 连接器已禁用（或不可用），它不适用于他。

---

不确定为什么会出现重定向循环，但配置的一个明显问题是您启用了APR（本机）SSL 连接器，它实际上不适用于“keystoreFile”，所以您应该在您的日志中收到类似的错误消息：

java.lang.Exception: Connector attribute SSLCertificateFile must be defined when using SSL with APR 

无论使用什么端口号，SSL 都不应该为您工作。

打败它的最简单方法是注释掉 APR 监听器：

<!-- <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> -->

让 Tomcat 使用 JSSE 连接器实现。