We have a single Windows server running Apache and Tomcat with mod_jk enabled. The Tomcat app runs perfectly fine as does the separate PHP app (under Apache). We installed a commercial SSL cert under Apache and created a directive in the httpd-ssl.conf file. All this works fine.
If we browse directly to https://www.domain.com/app/foo/bar it works fine, so we know the certificate is working. Our problem is that we want certain pages (JSP pages specifically) to load up under https. We tried putting .htaccess files in the proper folders (where we think the servlets are living) and that doesn't do anything, presumably since Tomcat is not serving the pages, Apache is (is that the correct thinking?). So, we are confused as to where we are supposed to configure the rules (?) to force https for certain JSP pages and not others. Presumably Apache should be handling this, but since the .htaccess file is not working, what other option is there?
I'm wondering if apache/mod_jk are configured so that requests matching
*.jsp
or/webappdir/*.jsp
are getting passed along to tomcat before your .htaccess changes get the chance to issue that redirect to https.I think you are going to want to add security-constraints into your tomcat web.xml so that your requests matching url-pattern /webappdir/*.jsp are set to use a CONFIDENTIAL transport guarantee. (At least, this is what the servlet and jsp specs seem to assume you are going to want to do) I don't have a system to play with right now but maybe something along the lines of the following inside your web.xml may work:
Caveat: I'm not 100% sure on the url-pattern—you may need to experiment a bit here. If you don't want to ssl encrypt all of your jsp's, you might end up with a much longer list of url-pattern entries. Also, I don't remember if tomcat issues a 301 redirect suggesting the browser re-follow the link using https or if tomcat issues some other status code.
Of course, ssl isn't going to add that much overhead so you could just encrypt the whole site. That would probably make your more security-conscious visitors a lot happier.