Apache Tomcat 7---MITM on HTTP to HTTPS redirect
I have the following in server.xml, to redirect users from HTTP to HTTPS:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
server="Apache" redirectPort="443" />
And in the web service's web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected area</web-resource-name>
<url-pattern>/topsecret/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>premiumrole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<deny-uncovered-http-methods />
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
Server authenticates to the user through certificate, user authenticates
to server using credentials. Under these configurations, would it be
possible to perform a MITM attack when the redirect from HTTP to HTTPS
happens? (e.g., to capture the user's credentials)
No comments:
Post a Comment