Context Navigation

← Previous Changeset
Next Changeset →

Changeset 32429

Timestamp:

2018-09-06T22:32:58+12:00 (6 years ago)

Author:

ak19

Message:

solr should only be accessible locally (from localhost, specifically 127.0.0.1) which means over http. This conflicted with the previous design of the properties file for working with http and/or https. Now we have tomcat.port.https and localhost.port.http, both always set. In place of server.protocol that used to contain the default protocol, we now have server.protocols which can be set to a comma separated list of one or both of http and https. Drastic restructuring followed. I think I've tested all but https certification stuff.

Location:

main/trunk/greenstone3

Files:

: 10 edited

build.properties.svn (modified) (1 diff)
build.xml (modified) (29 diffs)
resources/tomcat/server_tomcat7.xml.svn (modified) (2 diffs)
resources/web/global.properties.svn (modified) (1 diff)
src/java/org/greenstone/gsdl3/service/FedoraServiceProxy.java (modified) (1 diff)
src/java/org/greenstone/gsdl3/util/ServletRealmCheck.java (modified) (1 diff)
src/java/org/greenstone/server/Server3.java (modified) (2 diffs)
src/java/org/greenstone/server/Server3Property.java (modified) (1 diff)
src/java/org/greenstone/util/GlobalProperties.java (modified) (6 diffs)
src/java/org/greenstone/util/ProtocolPortProperties.java (modified) (4 diffs)

Legend:

: Unmodified
: Added
: Removed

main/trunk/greenstone3/build.properties.svn

-              r32360
+              r32429
 tomcat.server=localhost
+# The default protocol: http, or https for security
+# If you wish to use both, set the default protocol here (https recommended), then
+# uncomment both tomcat.port.http and tomcat.port.https and set them to valid port numbers.
+server.protocol=http
+# server.protocols must contain 'http' or 'https' or both (in order of preference) separated by commas
+# These specify the protocols you want your Digital Library (DL) to be accessible over.
+# The FIRST ONE in the list will be the default.
+# NOTE: For https support, you will additionally also need to
+# - assign a password to keystore.pass below
+# - ensure an unused and valid port number is assigned to tomcat.port.https below
+# - set tomcat.server above to the primary domain name of your DL, and
+# - run the 'ant setup-https-cert' target to get an official security certificate issued (for which
+# you may need admin/sudo permissions)
+server.protocols=http
+#server.protocols=https
+#server.protocols=https,http
+# At minimum, the tomcat.port matching the default server.protocol specified above
+# must be enabled (uncommented) below and be set to a valid port number.
+# You're allowed to enable both tomcat.port values here.
+tomcat.port.http=8383
+#tomcat.port.https=8443
+# You must set a password if using https (if tomcat.port.https is uncommented above)
+# You must set a password if you turned on https support by including 'https' in server.protocols above
 keystore.pass=
+# Choose valid port numbers that aren't already in use for tomcat.port.https and localhost.port.http:
+# If server.protocols above contains https, then your DL will (additionally) be available over https
+# on the port you assign for tomcat.port.https when you make your DL public.
+# But if server.protocols does not contain https, then tomcat.port.https will remain unused.
+tomcat.port.https=8443
+# When the server is running, http will always be available locally at 127.0.0.1 at localhost.port.http
+# If server.protocols above includes http, then your DL will additionally be made public over http
+# (on the hostname denoted by tomcat.server at the port number denoted by localhost.port.http)
+localhost.port.http=8383
 # Tomcat's shutdown port - this may need to be changed if you are running two or more Tomcats

main/trunk/greenstone3/build.xml

-              r32427
+              r32429
        If not testing can either uncomment this property or set value=false.
        BEWARE: iff test.mode is true (so https.testing gets set to minus-minus-staging)
+       AND server.protocol=https, check-tomcat-running and any other targets running
+       an ant http condition to test the default GS DL URL (which will be over https)
+       won't work. This is because the testing certificate is not trusted by
+       clients, in this case the ant http condition. (Clients that are browsers can
+       be set to temporarily trust the testing certificate, but don't know how to make
+       ant do that, maybe it needs to be done at Java level.)
+       AND the default protocol is https (server.protocols contains https first), the
+       check-tomcat-running target and any other targets running an ant http condition
+       to test the default GS DL URL (which will be over https) won't work.
+       This is because the testing certificate is not trusted by clients, in this case
+       the ant http condition. (Clients that are browsers can be set to temporarily
+       trust the testing certificate, but don't know how to make ant do that, maybe it
+       needs to be done at Java level.)
        Ant socket conditions to the URL will work because socket tests don't use
        the protocol, just the host and port.
 …
   </if>
+  <!-- If internal.tomcat.port not yet set, work it out based on server.protocol
+       Would be great if we could just use nested variables in build.properties
+       https://grokbase.com/t/ant/user/04698xjbp3/nested-variables-in-ant
+       http://ant.apache.org/faq.html#propertyvalue-as-name-for-property
+       http://ant.1045680.n5.nabble.com/Property-expansion-in-macrodef-attributes-td5476406.html
+       https://marc.info/?l=ant-user&m=111231719328847
+       http://ant-contrib.sourceforge.net/tasks/tasks/propertycopy.html
+       http://www.jguru.com/faq/view.jsp?EID=1072238
+       * propfile:
+       https://ant.apache.org/manual/Tasks/propertyfile.html
+  <if>
+    <bool><not><matches string="${server.protocols}" pattern="^\s*(https?|http\s*,\s*https|https\s*,\s*http)\s*$"/></not></bool>
+    <fail>@@@@
+      In file build.properties: invalid value for server.protocols.
+      It must contain http or https, or both (in order of preference) separated by commas.
+    </fail>
+  </if>
+  <!--
        * "valid ports range from 1024â49151" is probably about user assignable ports.
        But 80 is a valid port for running web servers including GS
 …
     <if>
       <bool>
+      <and>
+        <isset property="tomcat.port.http"/>
+        <not><matches string="${tomcat.port.http}" pattern="^\d{2,}\s*$"/></not>
+      </and>
+    <not><matches string="${localhost.port.http}" pattern="^\d{2,}\s*$"/></not>
       </bool>
       <fail>...
     ********* ERROR: tomcat.port.http in file build.properties is set to an invalid port number.
+    ********* ERROR: localhost.port.http in file build.properties is set to an invalid port number.
     If port 80 is not possible, user assignable ports range from 1024â49151.
     But don't choose any port already in use by another application.
     Try setting to tomcat.port.http=8383
+    Try setting to localhost.port.http=8383
       </fail>
     </if>
+    <!-- if server.protocols contains https, ensure its port number is valid -->
     <if>
       <bool>
       <and>
         <isset property="tomcat.port.https"/>
+        <matches string="${server.protocols}" pattern="https"/>
         <not><matches string="${tomcat.port.https}" pattern="^\d{2,}\s*$"/></not>
       </and>
       </bool>
       <fail>...
+    ********* ERROR: tomcat.port.https in file build.properties is set to an invalid port number.
+    ********* ERROR: in file build.properties, server.protocols includes https but
+    tomcat.port.https is set to an invalid port number.
     If port 443 is not possible, user assignable ports range from 1024â49151.
     But don't choose any port already in use by another application.
 …
     <!--
      Bail if https is enabled but the keystore password (keystore.pass property) is not set.
+     However, keystore.pass has no default value and is therefore not set as a rule. So don't bail when 'ant' is run for the first time to create build.props from build.props.svn. But do bail if running ant.prepare and https enabled and password not set.
+     (Maybe put this entire section before the first target: so we only bail after all non-targets are executed so that any other first ever initialisation is completed?)
+     However, keystore.pass has no default value and is therefore not set as a rule.
+     So don't bail when 'ant' is run for the first time to create build.props from build.props.svn.
+     But do bail if running ant.prepare and https enabled and password not set.
+     (Maybe put this entire section before the first target: so we only bail after all non-targets
+     are executed so that any other first ever initialisation is completed?)
     -->
     <if>
       <bool>
     <and>
       <isset property="tomcat.port.https"/>
+      <matches string="${server.protocols}" pattern="https"/>
       <or>
         <not><isset property="keystore.pass"/></not>
 …
       <if>
     <bool><isset property="first.run"/></bool>
     <echo>IMPORTANT: When tomcat.port.https is set in file build.properties, as now,
     the keystore.pass property must be set to a non-empty value.
     Either comment out tomcat.port.https if you don't want support for https,
     or set keystore.pass.</echo>
+    <echo>IMPORTANT: In file build.properties, when property server.protocols includes https,
+    as now, the keystore.pass property must be set to a non-empty value.
+    Either set server.protocols to http by itself, if you don't want support for https,
+    or set keystore.pass if you do want https support.</echo>
     <else>
       <fail>...
+      ********* ERROR: tomcat.port.https in file build.properties is set, but its required keystore.pass property is not set or is set to the empty string. Choose a password for keystore.pass and set it in build.properties before proceeding.
+      ********* ERROR: server.protocols contains https in file build.properties, but the keystore.pass
+      property required for obtaining/renewing the https certificate is not set or is set to the empty
+      string. Choose a password for keystore.pass and set it in build.properties before proceeding.
       </fail>
     </else>
 …
     </if>
+    <!-- Set the keystore file name for linux versus windows. Ultimately unused/inactive if HTTPS is not enabled and no certificate obtained. We don't have https certification on mac -->
+    <condition property="keystore.file" value="fullchain_and_prvtkey.pfx" else="fullchain_and_prvtkey.p12">
+        <istrue value="${current.os.iswindows}"/>
+    </condition>
+    <!-- Set the keystore file name for linux versus windows. Ultimately unused/inactive if HTTPS
+     isn't enabled and no certificate obtained. We don't yet have https certification on mac -->
+    <condition property="keystore.file" value="fullchain_and_prvtkey.pfx" else="fullchain_and_prvtkey.p12">
+      <istrue value="${current.os.iswindows}"/>
+    </condition>
+    <!-- Originally, https redirectPort when using regular http port 8383
+     was always fixed at 8443. Now we use redirectPort=tomcat.port.https.
+    -->
+    <property name="https.redirect.port" value="${tomcat.port.https}"/>
+    <!-- The default protocol to be used is the FIRST in the comma separated list for server.protocols
+    The default public tomcat port depends on the default server protocol
+    -->
+    <if>
+      <bool><matches string="${server.protocols}" pattern="^https"/></bool>
+      <property name="default.server.protocol" value="https"/>
+      <property name="default.tomcat.port" value="${tomcat.port.https}"/>
+      <else>
+    <property name="default.server.protocol" value="http"/>
+    <property name="default.tomcat.port" value="${localhost.port.http}"/>
+      </else>
+    </if>
+    <!-- For setting filter tokens.
+     Used to set up server.xml when configuring tomcat -->
+    <property name="comment.start" value="&lt;!--" />
+    <property name="comment.end" value="--&gt;" />
     <!--
+. Using the macrodef task from ant 1.6+ (https://ant.apache.org/manual/Tasks/macrodef.html)
+     to define "propertycopy" macro that then allows us to use nested variables in build.xml
+     (Is there any way to use nested variables in build.properties?)
+     Defining the propertycopy macro:
+     http://ant.apache.org/faq.html#propertyvalue-as-name-for-property
+     If https is enabled, regardless of whether it is the default protocol,
+     there's some more work to do:
+     -
+     - if https is not enabled, comment out its Connecter element in server.xml
+    -->
+    <if>
+      <bool><matches string="${server.protocols}" pattern="https"/></bool>
+      <property name="https.comment.out.start" value=""/>
+      <property name="https.comment.out.end" value=""/>
+      <else>
+    <property name="https.comment.out.start" value="${comment.start}"/>
+    <property name="https.comment.out.end" value="${comment.end}"/>
+      </else>
+    </if>
+    <!-- if server.protocols doesn't contain http, then http is only to be locally available,
+     e.g. for solr servlet on 127.0.0.1
+     In that case, see https://serverfault.com/questions/218666/how-to-configure-tomcat-to-only-listen-to-127-0-0-1
     -->
+    <macrodef name="propertycopy">
+      <attribute name="name"/>
+      <attribute name="from"/>
+      <sequential>
+    <property name="@{name}" value="${@{from}}"/>
+      </sequential>
+    </macrodef>
+    <!--
+. Now can use the 'propertycopy' macro defined above to allow us to use a property's value
+    (e.g. server.protocol's value) as a part of the name for a property.
+    So we want do something like ${tomcat.port.${server.protocol}}, which, if server.protocol=http,
+    we'd like it to turn into tomcat.port.http. Then we want to use the constructed variable name
+    to assign its value to a new variable. Use is as follows:
+       propertycopy name="tomcat.port.protocol" from="tomcat.port.${server.protocol}"
+    http://ant.1045680.n5.nabble.com/Property-expansion-in-macrodef-attributes-td5476406.html
+    <condition property="restrict.http.to.local" value="false" else="true">
+      <matches string="${server.protocols}" pattern="http($|\s+|,)"/>
+    </condition>
+    <condition property="http.address.restriction" value="address=&quot;127.0.0.1&quot;" else="">
+      <istrue value="${restrict.http.to.local}"/>
+    </condition>
+    <!-- No certificates for localhost: https://letsencrypt.org/docs/certificates-for-localhost/
+    But 'localhost' (or actually, 127.0.0.1) needed for solr: solr servlet not accessible to outside world
     -->
+    <propertycopy name="internal.tomcat.port" from="tomcat.port.${server.protocol}"/>
+    <if>
+      <bool><matches string="${internal.tomcat.port}" pattern="tomcat\.port"/></bool>
+      <fail>...
+      ********* ERROR: Unable to set tomcat.port:
+      In file build.properties server.protocol=${server.protocol} and requires at minimum that its
+      matching tomcat.port.${server.protocol} property line is enabled and set to a valid port number.</fail>
+    </if>
+  <!-- If we got here, we got a valid tomcat port. Set tomcat.port in build.properties
+       Set autogenerated properties (properties we calculate here in build.xml)
+       in build.properties. https://ant.apache.org/manual/Tasks/propertyfile.html
+       For now only internal.tomcat.port is determined by build.xml
+       and written out to build.properties as tomcat.port.
+       Internally, this file still uses internal.tomcat.port as any old value
+       read in from build.properties for tomcat.port can't be changed in memory
+       even though we can write it back out again to build.properties.
+  -->
+  <echo>Using tomcat port: ${internal.tomcat.port}</echo>
+  <!-- We're no longer writing out a tomcat.port property to build.properties based on what we've determined this should be:
+  - the perl code only cares about the final GS3 URL, which is determined by this ant build file and uses internal.tomcat.port
+  - and the GS3 Java src code has been updated to work without tomcat.port in build.properties -->
+  <!--
+  <propertyfile file="build.properties">
+    <entry key="tomcat.port" value="${internal.tomcat.port}"/>
+  </propertyfile>
+  -->
+  <!-- For setting filter tokens.
+       Used to set up server.xml when configuring tomcat -->
+  <property name="comment.start" value="&lt;!--" />
+  <property name="comment.end" value="--&gt;" />
+  <!-- originally, https redirectPort when using regular http port 8383
+  was always fixed at 8443. Now we use redirectPort=tomcat.port.https unless
+  it's not set, in which case we fall back to the original value of 8443. -->
+  <condition property="https.redirect.port" value="${tomcat.port.https}" else="8443">
+    <isset property="tomcat.port.https"/>
+  </condition>
+  <!-- if http is not enabled, comment out its Connecter element in server.xml -->
+  <condition property="http.comment.out.start" value="" else="${comment.start}">
+    <isset property="tomcat.port.http"/>
+  </condition>
+  <condition property="http.comment.out.end" value="" else="${comment.end}">
+    <isset property="tomcat.port.http"/>
+  </condition>
+  <!-- if https is not enabled, comment out its Connecter element in server.xml -->
+  <condition property="https.comment.out.start" value="" else="${comment.start}">
+    <isset property="tomcat.port.https"/>
+  </condition>
+  <condition property="https.comment.out.end" value="" else="${comment.end}">
+    <isset property="tomcat.port.https"/>
+  </condition>
+    <property name="local.http.url" value="http://127.0.0.1:${localhost.port.http}"/>
     <!-- On linux, if testing https certification, pass in minus-minus-staging. If not testing on linux, nothing extra to pass in.
 …
   <target name="get-default-servlet-url">
+    <echo>${server.protocol}://${tomcat.server}:${internal.tomcat.port}${app.path}${server.default.servlet}</echo>
+  </target>
+    <echo>${default.server.protocol}://${tomcat.server}:${default.tomcat.port}${app.path}${server.default.servlet}</echo>
+  </target>
+  <!-- solr should only be accessible locally, which therefore also means only over http.
+  But for http,  use 127.0.0.1 instead of localhost (as localhost can be mapped to something other than 127.0.0.1
+  and is therefore not safe). See https://letsencrypt.org/docs/certificates-for-localhost/ -->
   <target name="get-solr-servlet-url">
+    <echo>${server.protocol}://${tomcat.server}:${internal.tomcat.port}/${solr.context}</echo>
+    <!--<echo>${default.server.protocol}://${tomcat.server}:${default.tomcat.port}/${solr.context}</echo>-->
+    <echo>http://127.0.0.1:${localhost.port.http}/${solr.context}</echo>
   </target>
 …
     </if>
     <if><bool><isset property="install.flax"/></bool>
         <property name="url" value="${server.protocol}://${tomcat.server}:${internal.tomcat.port}${app.path}/flax"/>
+        <property name="url" value="${default.server.protocol}://${tomcat.server}:${default.tomcat.port}${app.path}/flax"/>
     <else>
         <property name="url" value="${server.protocol}://${tomcat.server}:${internal.tomcat.port}${app.path}/"/>
+        <property name="url" value="${default.server.protocol}://${tomcat.server}:${default.tomcat.port}${app.path}/"/>
     </else>
     </if>
 …
   <target name="accept-properties" unless="properties.accepted">
     <input addproperty="properties.ok" validargs="y,n">The following properties (among others) are being used from a build.properties file found in this directory:
       server.protocol=${server.protocol}
+      server.protocols=${server.protocols}
       tomcat.server=${tomcat.server}
-      <!--tomcat.port=${internal.tomcat.port}-->
-      tomcat.port.http=${tomcat.port.http}
       tomcat.port.https=${tomcat.port.https}
+      localhost.port.http=${localhost.port.http}
+         default.server.protocol=${default.server.protocol}
+         default.tomcat.port=${default.tomcat.port}
+         Local base HTTP URL used by Greenstone: ${local.http.url}
       tomcat.installed.path=${tomcat.installed.path} (this is the location of Tomcat's base dir if it is already installed)
       proxy.host=${proxy.host}
 …
       </or>
     </condition>
-    <echo>internal.tomcat.port = ${internal.tomcat.port}</echo>
     <condition property="proxy.present">
 …
     <filter token="gsdl3writablehome" value="${src.gsdl3.writablehome.unix}"/>
     <filter token="gsdl3version" value="${app.version}"/>
+    <filter token="server.protocol" value="${server.protocol}"/>
+    <filter token="server.protocols" value="${server.protocols}"/>
+    <filter token="default.server.protocol" value="${default.server.protocol}"/>
     <filter token="tomcat.server" value="${tomcat.server}"/>
+    <filter token="tomcat.port" value="${internal.tomcat.port}"/>
+    <!-- add filters for tomcat.port.http and tomcat.port.https depending on if
+     these are set. If any is not set, set its filter to the empty string -->
+    <if>
+      <bool><isset property="tomcat.port.http"/></bool>
+      <filter token="tomcat.port.http" value="${tomcat.port.http}"/>
+      <else><filter token="tomcat.port.http" value=""/></else>
+    </if>
+    <if>
+      <bool><isset property="tomcat.port.https"/></bool>
+      <filter token="tomcat.port.https" value="${tomcat.port.https}"/>
+      <else><filter token="tomcat.port.https" value=""/></else>
+    </if>
+    <filter token="default.tomcat.port" value="${default.tomcat.port}"/>
+    <filter token="localhost.port.http" value="${localhost.port.http}"/>
+    <filter token="tomcat.port.https" value="${tomcat.port.https}"/>
     <filter token="greenstone.context" value="${greenstone.context}"/>
     <filter token="solr.context" value="${solr.context}"/>
 …
         See https://ant.apache.org/manual/Tasks/antcall.html -->
     <antcall target="start">
+        <param name="tomcat.port.http" value="80"/>
+        <param name="internal.tomcat.port" value="80"/>
+        <param name="http.comment.out.start" value=""/>
+        <param name="http.comment.out.end" value=""/>
+        <param name="localhost.port.http" value="80"/>
+        <param name="default.tomcat.port" value="80"/>
+        <param name="http.address.restriction" value=""/><!-- don't prevent public access over http of port 80 -->
         <param name="https.comment.out.start" value="${comment.start}"/>
         <param name="https.comment.out.end" value="${comment.end}"/>
 …
     <!-- stop the tomcat running on port 80 -->
     <antcall target="stop">
+        <param name="tomcat.port.http" value="80"/>
+        <param name="internal.tomcat.port" value="80"/>
+        <param name="http.comment.out.start" value=""/>
+        <param name="http.comment.out.end" value=""/>
+        <param name="localhost.port.http" value="80"/>
+        <param name="default.tomcat.port" value="80"/>
+        <param name="http.address.restriction" value=""/>
         <param name="https.comment.out.start" value="${comment.start}"/>
         <param name="https.comment.out.end" value="${comment.end}"/>
 …
         <filter token="shutdown-port" value="${tomcat.shutdown.port}"/>
     <filter token="https.redirect.port" value="${https.redirect.port}"/>
     <filter token="tomcat.port.http" value="${tomcat.port.http}"/>
+    <filter token="localhost.port.http" value="${localhost.port.http}"/>
     <filter token="tomcat.port.https" value="${tomcat.port.https}"/>
     <!-- Relative path preferred for keystore.file, in case tomcat is moved elsewhere -->
 …
     <filter token="keystore.type" value="PKCS12"/>
     <filter token="keystore.pass" value="${keystore.pass}"/>
+    <filter token="http.comment.out.start" value="${http.comment.out.start}"/>
+    <filter token="http.comment.out.end" value="${http.comment.out.end}"/>
+    <!--
+        if server.protocols doesn't contain http, then http is only to be locally available (e.g. for solr servlet on 127.0.0.1)
+        In that case, see https://serverfault.com/questions/218666/how-to-configure-tomcat-to-only-listen-to-127-0-0-1
+    -->
+    <filter token="http.address.restriction" value="${http.address.restriction}"/>
+    <filter token="restrict.http.to.local" value="${restrict.http.to.local}"/>
     <filter token="https.comment.out.start" value="${https.comment.out.start}"/>
     <filter token="https.comment.out.end" value="${https.comment.out.end}"/>
 …
     <waitfor maxwait="5" maxwaitunit="second">
       <and>
+        <socket server="${tomcat.server}" port="${internal.tomcat.port}"/>
+        <http url="${server.protocol}://${tomcat.server}:${internal.tomcat.port}${app.path}/index.html"/>
+        <socket server="${tomcat.server}" port="${default.tomcat.port}"/>
+    <!--<http url="${default.server.protocol}://${tomcat.server}:${default.tomcat.port}${app.path}/index.html"/>-->
+    <http url="${local.http.url}${app.path}/index.html"/>
       </and>
     </waitfor>
 …
     <if><bool><istrue value="${tomcat.isstarted}"/></bool>
       <echo>**************************************</echo>
       <echo>A WEB SERVER IS ALREADY RUNNING ON ${server.protocol}://${tomcat.server}:${internal.tomcat.port}. NOT STARTING.</echo>
+      <echo>A WEB SERVER IS ALREADY RUNNING ON ${default.server.protocol}://${tomcat.server}:${default.tomcat.port} (${local.http.url}). NOT STARTING.</echo>
       <echo>**************************************</echo>
       <else>
 …
     <waitfor maxwait="5" maxwaitunit="second">
       <and>
+        <socket server="${tomcat.server}" port="${internal.tomcat.port}"/>
+        <http url="${server.protocol}://${tomcat.server}:${internal.tomcat.port}${app.path}/index.html"/>
+        <socket server="${tomcat.server}" port="${default.tomcat.port}"/>
+        <!--<http url="${default.server.protocol}://${tomcat.server}:${default.tomcat.port}${app.path}/index.html"/>-->
+        <http url="${local.http.url}${app.path}/index.html"/>
       </and>
     </waitfor>
 …
   <target name="reconfigure" description="Reconfigure the message router">
     <waitfor maxwait="5" maxwaitunit="second">
+      <http url="${server.protocol}://${tomcat.server}:${internal.tomcat.port}${app.path}${server.default.servlet}?a=s&amp;sa=c"/>
+      <!--<http url="${default.server.protocol}://${tomcat.server}:${default.tomcat.port}${app.path}${server.default.servlet}?a=s&amp;sa=c"/>-->
+      <http url="${local.http.url}${app.path}${server.default.servlet}?a=s&amp;sa=c"/>
     </waitfor>
   </target>
 …
   <target name="reconfigure-collection" description="Reconfigure the collection">
     <waitfor maxwait="5" maxwaitunit="second">
+      <http url="${server.protocol}://${tomcat.server}:${internal.tomcat.port}${app.path}${server.default.servlet}?a=s&amp;sa=c&amp;sc=${collection}"/>
+      <!--<http url="${default.server.protocol}://${tomcat.server}:${default.tomcat.port}${app.path}${server.default.servlet}?a=s&amp;sa=c&amp;sc=${collection}"/>-->
+      <http url="${local.http.url}${app.path}${server.default.servlet}?a=s&amp;sa=c&amp;sc=${collection}"/>
     </waitfor>
   </target>
 …
   <target name="check-tomcat-running">
     <condition property="tomcat.isrunning">
+      <!--<http url="${server.protocol}://${tomcat.server}:${internal.tomcat.port}${app.path}"/>-->
+      <http url="${server.protocol}://${tomcat.server}:${internal.tomcat.port}"/>
+      <!--<http url="${default.server.protocol}://${tomcat.server}:${default.tomcat.port}${app.path}"/>-->
+      <!--<http url="${default.server.protocol}://${tomcat.server}:${default.tomcat.port}"/>--><!-- untrusted certificates won't work, so don't test https urls-->
+      <http url="${local.http.url}"/><!-- testing the local http url instead -->
     </condition>
   </target>
 …
       <target name="verbose-check-tomcat-running">
       <condition property="tomcat.isrunning" value="true" else="false">
+      <http url="${server.protocol}://${tomcat.server}:${internal.tomcat.port}"/>
+      <http url="${default.server.protocol}://${tomcat.server}:${default.tomcat.port}"/>
+      <http url="${local.http.url}"/>
       </condition>
       <echo>Tomcat is running: ${tomcat.isrunning}</echo>
 …
   <target name="check-tomcat-started">
     <condition property="tomcat.isstarted">
+      <http url="${server.protocol}://${tomcat.server}:${internal.tomcat.port}"/>
+      <!--<http url="${default.server.protocol}://${tomcat.server}:${default.tomcat.port}"/>-->
+      <http url="${local.http.url}"/>
     </condition>
   </target>
 …
      <echo>Waiting for the server to shutdown... (${wait.numchecks} seconds max)</echo>
      <waitfor maxwait="${wait.numchecks}" maxwaitunit="second" checkevery="1" checkeveryunit="second" timeoutproperty="tomcat.timedout">
        <not><socket server="${tomcat.server}" port="${internal.tomcat.port}"/></not>
+       <not><socket server="${tomcat.server}" port="${default.tomcat.port}"/></not>
      </waitfor>
 …
        </bool>
        <property name="tomcat.isrunning" value="true"/>
        <echo>WARNING: Checked the socket ${wait.numchecks} times, but port ${internal.tomcat.port} is still busy.</echo>
+       <echo>WARNING: Checked the socket ${wait.numchecks} times, but port ${default.tomcat.port} is still busy.</echo>
        <else>
      <echo>Tomcat is stopped.</echo>
 …
       <classpath refid="compile.classpath"/>
       <arg value="-l"/>
       <arg value="${server.protocol}://${tomcat.server}:${internal.tomcat.port}${app.path}/servlet/AxisServlet"/>
+      <arg value="${default.server.protocol}://${tomcat.server}:${default.tomcat.port}${app.path}/servlet/AxisServlet"/>
       <arg file="${basedir}/resources/soap/deploy.wsdd"/>
     </java>
 …
       <classpath refid="compile.classpath"/>
       <arg value="-l"/>
       <arg value="${server.protocol}://${tomcat.server}:${internal.tomcat.port}${app.path}/servlet/AxisServlet"/>
+      <arg value="${default.server.protocol}://${tomcat.server}:${default.tomcat.port}${app.path}/servlet/AxisServlet"/>
       <arg file="${basedir}/resources/soap/undeploy.wsdd"/>
     </java>
 …
   <target name="get-undeploy-service-name" unless="axis.undeploy.servicename">
     <input addproperty="axis.undeploy.servicename" defaultvalue="localsite">Please enter the full name of the service you wish to undeploy.
 To find out which web services you've got deployed, point your browser to ${server.protocol}://${tomcat.server}:${internal.tomcat.port}/greenstone3/services
+To find out which web services you've got deployed, point your browser to ${default.server.protocol}://${tomcat.server}:${default.tomcat.port}/greenstone3/services
 Or press Enter for undeploying the default:localsite /&gt;</input>
      <echo>Name of service to undeploy: ${axis.undeploy.servicename}</echo>
 …
                 <java classname="org.junit.runner.JUnitCore" fork="true">
                     <arg value="gstests.TestClass"/>
                     <jvmarg value="-DSERVERURL=${server.protocol}://${tomcat.server}:${internal.tomcat.port}${app.path}${server.default.servlet} "/>
+                    <jvmarg value="-DSERVERURL=${default.server.protocol}://${tomcat.server}:${default.tomcat.port}${app.path}${server.default.servlet} "/>
                     <classpath>
                         <fileset dir="${basedir}/ext/testing/lib/java">

main/trunk/greenstone3/resources/tomcat/server_tomcat7.xml.svn

-              r32349
+              r32429
          Define a non-SSL HTTP/1.1 Connector on port @port@
     -->
+    @http.comment.out.start@
+    <Connector executor="tomcatThreadPool"
+           port="@tomcat.port.http@" protocol="HTTP/1.1"
+    <Connector executor="tomcatThreadPool" @http.address.restriction@
+           port="@localhost.port.http@" protocol="HTTP/1.1"
                connectionTimeout="20000"
                redirectPort="@https.redirect.port@"
 …
                URIEncoding="UTF-8"
            />
-    @http.comment.out.end@
     <!-- A "Connector" using the shared thread pool-->
     <!--
     <Connector executor="tomcatThreadPool"
                port="@tomcat.port.http@" protocol="HTTP/1.1"
+    <Connector executor="tomcatThreadPool" @http.address.restriction@
+               port="@localhost.port.http@" protocol="HTTP/1.1"
                connectionTimeout="20000"
                redirectPort="@https.redirect.port@" />

main/trunk/greenstone3/resources/web/global.properties.svn

-              r32379
+              r32429
 # tomcat info
 server.protocol=@server.protocol@
+server.protocol=@default.server.protocol@
 [email protected]@
+[email protected]@
+[email protected]@
+[email protected]@
+[email protected]@
 [email protected]@
 [email protected]@
 [email protected]@
 derby.server=@derbyserver@
+[email protected]@
+[email protected]@
+localhost.protocol.http=http
+localhost.server.http=127.0.0.1
+[email protected]@
+[email protected]@
 ## Proxy setup - set these if you are behind a firewall and you want services that access the internet

main/trunk/greenstone3/src/java/org/greenstone/gsdl3/service/FedoraServiceProxy.java

r32419	r32429
181	181	return false;
182	182	} catch(Exception e) {
183		logger.error("Error instantiating the interface to the Fedora Repository:\n", e); // second parameter prints e's stacktrace
	183	logger.error("Error instantiating the interface to the Fedora Repository: " + e.getMessage() + "\n", e); // second parameter prints e's stacktrace
184	184	return false; // configure has failed
185	185	}

main/trunk/greenstone3/src/java/org/greenstone/gsdl3/util/ServletRealmCheck.java

r32419	r32429
125	125
126	126	} catch (Exception ex) {
	127	System.err.println("Got exception " + ex.getMessage());
127	128	ex.printStackTrace();
128	129	} finally {

main/trunk/greenstone3/src/java/org/greenstone/server/Server3.java

-              r32419
+              r32429
             protocolPortProps = new ProtocolPortProperties(config_properties);
         } catch(Exception e) {
             String errorMsg = "Error with port/protocol in " + config_properties_file + ": " + protocolPortProps.getErrorMsg();
+            String errorMsg = "@@@ Error with ports/protocol in " + config_properties_file + ": " + e.getMessage();
             // print it everywhere, because port/protocol misconfiguration is a fatal error and we're exiting
             logger_.error(errorMsg);
+            logger_.error(errorMsg, e);
             System.err.println(errorMsg);
             // If error, then quit this app as soon as possible
 …
+        }
+        Property = protocolPortProps.legacyMode ? new Server3Property() : new Server3Property(protocolPortProps.getProtocol());
+        Property = new Server3Property(protocolPortProps.getDefaultPortPropertyName());
+               // defaultPortPropertyName can be 'localhost.port.http' or 'tomcat.port.https'
+               // depending on which of http and https is the first value of 'server.protocols'
         String frame_title = dictionary.get("ServerControl.Frame_Title");

main/trunk/greenstone3/src/java/org/greenstone/server/Server3Property.java

r32357	r32429
14	14	}
15	15
16		Server3Property(String ~~protocol~~)
	16	Server3Property(String defaultPortPropertyName)
17	17	{
18	18	// Initialising customised final variables
19	19	// Version number, WEB_PORT, autoenter, startbrowser
20	20	// For GS3, the last two are controlled by the same property
21		super("3", ~~"tomcat.port."+protocol~~, "server.auto.start", "server.auto.start",
	21	super("3", defaultPortPropertyName, "server.auto.start", "server.auto.start",
22	22	"server.keep.port", "server.external.access");
23	23	}

main/trunk/greenstone3/src/java/org/greenstone/util/GlobalProperties.java

-              r32357
+              r32429
     private static String gsdl3_writablehome = null;
     private static String gsdl3_web_address = null;
+    private static String full_gsdl3_web_address = null;
+    private static String http_full_gsdl3_web_address = null;
+    private static String https_full_gsdl3_web_address = null;
+    private static String full_gsdl3_web_address = null; // for the default protocol
+    private static String http_full_gsdl3_web_address = null; // if http or both protocols supported
+    private static String https_full_gsdl3_web_address = null; // if https or both protocols supported
+    // The locally accessible url such as for solr is always available at http://127.0.0.1:<httpPort>
+    // regardless of whether http is listed as one of the server protocols
+    private static String localhost_http_web_address = null;
     /** get the value of the property 'key'. returns null if not found */
 …
+    {
         return full_gsdl3_web_address;
+    }
+    public static String getLocalHttpBaseAddress()
+    {
+        return localhost_http_web_address;
+    }
 …
             String protocolSpecifier = null, hostSpecifier = null, portSpecifier = null, contextSpecifier = null;
             //protocol
+            // default protocol
             protocolSpecifier = properties.getProperty("server.protocol");
             if (protocolSpecifier == null || protocolSpecifier.equals(""))
 …
+            }
             //port
+            //default port (port for the default protocol)
             portSpecifier = properties.getProperty("tomcat.port"); // support for legacy tomcat.port?
-            if(portSpecifier == null) {
-                portSpecifier = protocolSpecifier.startsWith("https") ? properties.getProperty("tomcat.port.https") : properties.getProperty("tomcat.port.http");
+            }
             if (portSpecifier == null || portSpecifier.equals("")
                 || (protocolSpecifier.equals("http://") && portSpecifier.equals("80"))
 …
             gsdl3_web_address = contextSpecifier;
+            // Set the always available internal root address that is locally accessible (http://127.0.0.1:<httpPort>)
+            // Used by solr.
+            String httpPort = properties.getProperty("localhost.port.http");
+            localhost_http_web_address = properties.getProperty("localhost.protocol.http") + "://"
+                + properties.getProperty("localhost.server.http") // always uses 127.0.0.1 (not localhost, which can be modified and is therefore unsafe!)
+                + httpPort;
             // set the http and https variants of the full web address, if they're meant to be available
+            if(protocolSpecifier.startsWith("https")) { // check the default protocol, then set the address for the other protocol too
+            // First check the default protocol, then set the web address for the other protocol too
+            String supportedProtocols = properties.getProperty("server.protocols", "http");
+            String isHttpRestrictedToLocal = properties.getProperty("restrict.http.to.local", "true");
+            if(protocolSpecifier.startsWith("https")) {
                 https_full_gsdl3_web_address = full_gsdl3_web_address;
+                // and set http version, if sufficient properties are available
+                String httpPort = properties.getProperty("tomcat.port.http");
+                if(httpPort != null && !httpPort.equals("")) {
+                // and set http version of URL, if http is made public (if http is in server.protocols list)
+                if(isHttpRestrictedToLocal.equals("false")) {
                 http_full_gsdl3_web_address = "http://" + hostSpecifier + httpPort + contextSpecifier;
+                }
 …
                 http_full_gsdl3_web_address = full_gsdl3_web_address;
                 // and set https version, if sufficient properties are available
                 String httpsPort = properties.getProperty("tomcat.port.https");
                 if(httpsPort != null && !httpsPort.equals("")) {
+                // and set https version, if https enabled
+                if(supportedProtocols.contains("https")) {
+                String httpsPort = properties.getProperty("tomcat.port.https");
                 https_full_gsdl3_web_address = "https://" + hostSpecifier + httpsPort + contextSpecifier;
+                }

main/trunk/greenstone3/src/java/org/greenstone/util/ProtocolPortProperties.java

-              r32419
+              r32429
 /*
  * Utility class to set the protocol and port values from the Properties provided,
+ * Utility class to set the protocol and port values from the Properties instance provided,
  * which can be a Properties object loaded from either build.properties or global.properties
+ * Currently used by ServletRealmCheck and FedoraServiceProxy.
+ * (Could also be used by Server3.java and GlobalProperties in future, if applicable.)
+ * Currently used by Server3.java, ServletRealmCheck, FedoraServiceProxy and solr java code
+ * GS2SolrSearch and SolrSearch.
+ * (Could perhaps also be used by GlobalProperties in future, if applicable.)
  * Can adjust fallback behaviour in this one location to make them all work consistently.
+ *
+ * NOTE: although global.properties contains many additional programmatically set properties
+ * that could simplify this class, the fact that this class should work for both build.properties
+ * and global.properties means that this class will work only with the properties common to
+ * both property files.
  */
+public class ProtocolPortProperties {
+    public final boolean legacyMode; // true if before https protocol supported
+public class ProtocolPortProperties {
     public static final int ALL_CORRECT = 0;
     public static final int SECONDARY_PORT_NON_NUMERIC = 1;
     public static final int INVALID_PRIMARY_PORT = 2;
     public static final int OLD_TOMCATPORT_BUT_NO_VALUE = 3;
     public static final int NO_PROTOCOL_OR_PORT = 4;
     public static final int INVALID_PROTOCOL = 5;
     public static final int HTTPS_INCONSISTENCY = 6;
     private static final String defProtocol = "http";
     private static final String defHttpPort = "8383";
     private static final String defHttpsPort = "8443";
     private String protocol; //= defProtocol;
     private String port; //defHttpPort; //defProtocol.equals("https") ? defHttpsPort : defHttpPort; // port that matches protocol as String
     private String httpPort; //defHttpPort;
     private String httpsPort; //defHttpsPort;
+    public static final int NO_PROTOCOL = 3;
+    public static final int INVALID_PROTOCOL = 4;
+    public static final int NO_HTTP_PORT = 5;
+    public static final int NO_HTTPS_PORT = 6;
+    private static final String FALLBACK_PROTOCOL = "http";
+    private static final String FALLBACK_HTTP_PORT = "8383";
+    private static final String FALLBACK_HTTPS_PORT = "8443";
+    private String protocol;
+    private String port;
+    private String httpPort;
+    private String httpsPort;
     //private int portNum = -1; // port that matches protocol as int
     private String errorMsg;
+    private int errorCode;
+    public String getProtocol() { return protocol; }
+    private int errorCode = ALL_CORRECT;
+    private boolean httpRestrictedToLocal = true;
+    private boolean supportsHttps = false;
+    private String defaultPortPropertyName = "localhost.port.http";
+    // default protocol if multiple supported
+    public String getProtocol() { return protocol; }
+    // default port (port for default protocol)
     public String getPort() { return port; }
+    // httpPort is always set, but http may or may not be public
     public String getHttpPort() { return httpPort; }
+    // httpsPort is null if https not supported
     public String getHttpsPort() { return httpsPort; }
+    public int getPortNum() { return Integer.parseInt(port); }
+    public int getPortNum() { return Integer.parseInt(port); }
+    // http is always available locally (over 127.0.0.1). But http may or may not be public.
+    // Returns true if public http support requested
+    public boolean supportsHttp() { return !httpRestrictedToLocal; }
+    // true if https is supported
+    public boolean supportsHttps() { return supportsHttps; }
+    // used by Server3.java to know the name of the port property to load
+    public String getDefaultPortPropertyName() { return defaultPortPropertyName; }
     public String getErrorMsg() { return errorMsg; }
 …
     public boolean hadError() { return errorCode != ALL_CORRECT; }
+    // Won't attempt to recover on error.
+    // This means on error, port etc values will be invalid
+    // Use 127.0.0.1 instead of localhost since localhost is unsafe (can be mapped
+    // to something other than 127.0.0.1). See https://letsencrypt.org/docs/certificates-for-localhost/
+    public String getLocalHttpBaseAddress() {
+    // httpPort is set during the constructor,
+    // so knowing httpPort, we can set the internal/local access http URL:
+    String portSuffix = httpPort.equals("80") ? "" : (":"+httpPort);
+    return "http://127.0.0.1"+portSuffix;
+    }
+    // Constructor that will throw an Exception on ports/protocol configuration error or inconsistency
     public ProtocolPortProperties(Properties props) throws Exception {
     this(props, false);
+    }
+    // If param recover is true, will attempt to fallback to sane values for protocol and ports.
+    // You can still check for error by calling hadError(), getErrorMsg() and getErrorCode().
+    // If param recover is false, will throw an Exception on bad ports/protocol configuration
+    // and the error message is available as the exception description.
     public ProtocolPortProperties(Properties props, boolean recover) throws Exception
+    {
     StringBuffer msg = new StringBuffer();
+    port = props.getProperty("tomcat.port");
+    // We could either be dealing with properties files from before https support was introduced, in which case we want to be backwards compatible
+    // Or we're dealing with properties files after https support was introduced.
+    // To determine which, can ignore server.protocol: server.protocol was introduced at a time when tomcat.port was still in effect,
+    // server.protocol's presence does not indicate whether our GS3 installation supports https or not. Only the tomcat.port properties
+    // indicates that: if tomcat.port exists BUT tomcat.port.http(s) don't, then it's an older GS3 that has no https support, so default to http.
+    // If there is no tomcat.port at all, but there is a server.protocol check for the newer tomcat.port.<protocol> properties.
+    // NOTE: global.properties still has a property called tomcat.port. We're only dealing with the old tomcat.port-only way if tomcat.port.http(s) don't exist
+    if(props.getProperty("tomcat.port.http") == null && props.getProperty("tomcat.port.https") == null && port != null) {
+                // tomcat.port exists but tomcat.port.http(s) don't, so this is a GS3 before https support.
+        legacyMode = true;
+        // Back when tomcat.port was used AND tomcat.port.http(s) didn't exist, server.protocol if specified
+        // would always be treated as http regardless of what it was set to
+        protocol = defProtocol; // tomcat.port.http(s) doesn't exist, just use http
+        if(port.equals("")) {
+        errorCode =  OLD_TOMCATPORT_BUT_NO_VALUE;
+        msg.append("tomcat.port enabled but did not have a value.");
+        if(recover) {
+            port = httpPort = defHttpPort;
+    httpPort = props.getProperty("localhost.port.http");
+    if(httpPort == null || httpPort.equals("")) {
+        errorCode = NO_HTTP_PORT;
+        msg.append("compulsory property localhost.port.http has no value (must be set to a valid port number not already in use).");
+        httpPort = FALLBACK_HTTP_PORT;
+    }
+    String supportedProtocols = props.getProperty("server.protocols");
+    if(supportedProtocols == null || supportedProtocols.equals("")) {
+        errorCode = NO_PROTOCOL;
+        msg.append("server.protocols not set.");
+        protocol = FALLBACK_PROTOCOL; // fallback to http as default (and sole) protocol
+        port = httpPort; // set default port to httpPort
+    }
+    else { // supportedProtocols was assigned something
+        if(!supportedProtocols.contains("http")) {
+        errorCode = INVALID_PROTOCOL;
+        msg.append("server.protocols must contain http or https, or both (in order of preference) separated by commas.");
+        protocol = FALLBACK_PROTOCOL;
+        port = httpPort;
+        }
+        // set available protocols with their ports
+        if(supportedProtocols.contains("https")) {
+        supportsHttps = true;
+        httpsPort = props.getProperty("tomcat.port.https");
+        if(httpsPort == null || httpsPort.equals("")) {
+            errorCode = NO_HTTPS_PORT;
+            msg.append("server.protocols includes https but property tomcat.port.https has no value (must be set to a valid port number not already in use).");
+            httpsPort = FALLBACK_HTTPS_PORT;
+        }
+        } else { // No issues: using tomcat.port is the pre-https way.
+        errorCode = ALL_CORRECT;
+        httpPort = port;
+        }
+    }
+    else {
+        legacyMode = false;
+        protocol = props.getProperty("server.protocol");
+        if(protocol == null || (!protocol.equals("http") && !protocol.equals("https"))) {
+        if(port == null) { // if tomcat.port is null AND server.protocol is null or wrong. Something very wrong with the properties file
+            errorCode = NO_PROTOCOL_OR_PORT;
+            msg.append("server.protocol not set. And can't determine port.");
+        } else if(protocol == null) {
+            errorCode = NO_PROTOCOL_OR_PORT;
+            msg.append("server.protocol not set.");
+        } else {
+            errorCode = INVALID_PROTOCOL;
+            msg.append("server.protocol property must be http or https, but is set to invalid value. And can't determine port.");
+        }
+        if(recover) {
+            protocol = defProtocol;
+            port = httpPort = defHttpPort;
+        }
+        } else { // server.protocol was explicitly set and set to an acceptable value, try to find matching tomcat.port
+        port = props.getProperty("tomcat.port."+protocol); // tomcat.port.http or tomcat.port.https, depending on server.protocol.
+        // Handle cases where there's some inconsistency in the properties file between protocol and port.
+        // i.e. if server.protocol=http, then tomcat.port.http must be set too.
+        if(port == null || port.equals("")) {
+            errorCode = INVALID_PROTOCOL;
+            msg.append("server.protocol="+protocol+", but matching tomcat.port."+protocol+"not enabled or set.");
+            if(recover) {
+            protocol = defProtocol;
+            if(protocol.startsWith("https")) { // server.protocol=https yet tomcat.port.https not provided
+                port = httpsPort = defHttpsPort; // use default https port to set
+            } else {
+                port = httpPort = defHttpPort;
+            }
+            }
+        } else { //tomcat.port.<protocol> property matching server.protocol is set, not checking if it's an int and a valid port, though
+            errorCode = ALL_CORRECT;
+            // port is set
+            if(protocol.startsWith("https")) {
+            httpsPort = port;
+            httpPort = props.getProperty("tomcat.port.http"); // httpPort will remain null if tomcat.port.http not set
+            } else { // protocol=http
+            httpPort = port;
+            httpsPort = props.getProperty("tomcat.port.https"); // httpsPort will remain null if tomcat.port.https not set
+            }
+        }
+        }
+    }
+    if(errorCode == ALL_CORRECT) { // then check any assigned ports are valid
+        }
+        if(supportedProtocols.matches("http(,|\\s+|$)")) {
+        httpRestrictedToLocal = false;
+        }
+        // set default protocol and default port: the first protocol in the supportedProtocols list
+        if(supportedProtocols.matches("^[,\\s]*https")) {
+        protocol = "https";
+        port = httpsPort;
+        } else {
+        protocol = "http";
+        port = httpPort;
+        }
+    }
+    if(!recover && errorCode == ALL_CORRECT) { // then check any assigned ports are valid
         if(httpPort != null) {
         try {
             Integer.parseInt(httpPort);
         } catch(NumberFormatException nfe) {
             msg.append("\nInvalid port specified for over http: not numeric.");
+            msg.append("\nInvalid localhost.port.http specified: must be numeric.");
             if(port == httpPort) {
+            errorCode = INVALID_PRIMARY_PORT;
+            if(recover) {
+                port = httpPort = defHttpPort;
+            } else { // no recovery requested, so if port for protocol is non-numeric, consider it a 'fatal' error
+                port = httpPort = httpsPort = null;
+            }
+            } else { // secondary protocol's port is non-numeric, not fatal?
+            errorCode = INVALID_PRIMARY_PORT;
+            port = httpPort = FALLBACK_HTTP_PORT; // recovery values that can work with default protocol
+            } else { // secondary protocol's port is non-numeric, not fatal in recovery mode
             errorCode = SECONDARY_PORT_NON_NUMERIC;
+            if(recover) {
+                msg.append("\nNot using this port");
+            }
+            httpPort = null;
+            httpPort = null;
+            if(recover) msg.append("\nNot using this port");
+            }
+        }
 …
             Integer.parseInt(httpsPort);
         } catch(NumberFormatException nfe) {
             msg.append("\nInvalid port specified for over https: not numeric.");
+            msg.append("\nInvalid port specified for over https (tomcat.port.https): must be numeric.");
             if(port == httpsPort) {
+            errorCode = INVALID_PRIMARY_PORT;
+            if(recover) {
+                port = httpsPort = defHttpsPort;
+            } else { // primary port affected and not asked to recover, treat as fatal
+                port = httpsPort = httpPort = null;
+            }
+            } else { // non primary port is invalid/non-numeric, not fatal
+            errorCode = INVALID_PRIMARY_PORT;
+            port = httpsPort = FALLBACK_HTTPS_PORT; // recovery values that work with default protocol
+            } else { // non primary port is invalid/non-numeric, not fatal in recovery mode
             errorCode = SECONDARY_PORT_NON_NUMERIC;
-            if(recover) {
-                msg.append("\nNot using this port");
+            }
             httpsPort = null;
+            if(recover) msg.append("\nNot using this port");
+            }
+        }
 …
+    }
+    // if the default port is the httpsPort, then modify the defaultPortPropertyName to match
+    // (else it will remain at the property name for the http port)
+    if(port == httpsPort) {
+        defaultPortPropertyName = "tomcat.port.https";
+    }
     if(recover) {
         msg.append("\nFalling back to port ").append(port).append(" and protocol ").append(protocol).append(".");
+    }
-    // else if(errorCode == ALL_CORRECT) {
-    //    msg.append("\nUsing port ").append(port).append(" and protocol ").append(protocol).append(".");
-    //} // else invalid property value(s) and we've not been asked to recover. msg alreay set.
     errorMsg = msg.toString();

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats: