Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port fowarding

for agent services


git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1356 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

19 files changed, 453 insertions, 83 deletions

diff --git a/pki/base/ca/shared/webapps/ROOT/index.jsp b/pki/base/ca/shared/webapps/ROOT/index.jsp
index 3e23e05b0..85a4654c3 100644
--- a/pki/base/ca/shared/webapps/ROOT/index.jsp
+++ b/pki/base/ca/shared/webapps/ROOT/index.jsp
@@ -1,9 +1,94 @@
+<!-- --- BEGIN COPYRIGHT BLOCK ---
+     This program is free software; you can redistribute it and/or modify
+     it under the terms of the GNU General Public License as published by
+     the Free Software Foundation; version 2 of the License.
+
+     This program is distributed in the hope that it will be useful,
+     but WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+     GNU General Public License for more details.
+
+     You should have received a copy of the GNU General Public License along
+     with this program; if not, write to the Free Software Foundation, Inc.,
+     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+     Copyright (C) 2010 Red Hat, Inc.
+     All rights reserved.
+     --- END COPYRIGHT BLOCK --- -->
 <%
-  String op = request.getParameter("op");
-  if (op == null || op.equals("")) {
-    String redirectURL = "/ca/ee/ca";
-    response.sendRedirect(redirectURL);
-  } else if (op.equals("enroll")) {
-    /* redirect to enrollment servlet */
-  }
+    // establish acceptable schemes
+    final String HTTP_SCHEME = "http";
+    final String HTTPS_SCHEME = "https";
+
+    // establish known ports
+    final int EE_HTTP_PORT = [PKI_UNSECURE_PORT];
+    final int AGENT_HTTPS_PORT = [PKI_AGENT_SECURE_PORT];
+    final int EE_HTTPS_PORT = [PKI_EE_SECURE_PORT];
+    final int ADMIN_HTTPS_PORT = [PKI_ADMIN_SECURE_PORT];
+
+    // establish known paths
+    final String ADMIN_PATH = "/[PKI_SUBSYSTEM_TYPE]/services";
+    final String AGENT_PATH = "/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE]";
+    final String EE_PATH = "/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE]";
+    final String ERROR_PATH = "/[PKI_SUBSYSTEM_TYPE]/404.html";
+
+    // retrieve scheme from request
+    String scheme = request.getScheme();
+
+    // retrieve client hostname on which the request was sent
+    String client_hostname = request.getServerName();
+
+    // retrieve client port number on which the request was sent
+    int client_port = request.getServerPort();
+
+    // retrieve server hostname on which the request was received
+    String server_hostname = request.getLocalName();
+
+    // retrieve server port number on which the request was received
+    int server_port = request.getLocalPort();
+
+    // uncomment the following lines to write to 'catalina.out'
+    //System.out.println( "scheme = '" + scheme + "'" );
+    //System.out.println( "client hostname = '" + client_hostname + "'" );
+    //System.out.println( "client port = '" + client_port + "'" );
+    //System.out.println( "server hostname = '" + server_hostname + "'" );
+    //System.out.println( "server port = '" + server_port + "'" );
+
+    // compose the appropriate URL
+    String URL = "";
+
+    if( scheme.equals( HTTP_SCHEME ) ) {
+        if( server_port == EE_HTTP_PORT ) {
+            URL = scheme + "://" + client_hostname + ":" + client_port + EE_PATH;
+        } else {
+            // unknown HTTP server port:  should never get here
+            URL = scheme + "://" + client_hostname + ":" + client_port + ERROR_PATH;
+
+            // uncomment the following line to write to 'catalina.out'
+            //System.out.println( "Unknown HTTP server port:  '" + server_port + "'" );
+        }
+    } else if( scheme.equals( HTTPS_SCHEME ) ) {
+        if( server_port == AGENT_HTTPS_PORT ) {
+            URL = scheme + "://" + client_hostname + ":" + client_port + AGENT_PATH;
+        } else if( server_port == EE_HTTPS_PORT ) {
+            URL = scheme + "://" + client_hostname + ":" + client_port + EE_PATH;
+        } else if( server_port == ADMIN_HTTPS_PORT ) {
+            URL = scheme + "://" + client_hostname + ":" + client_port + ADMIN_PATH;
+        } else {
+            // unknown HTTPS server port:  should never get here
+            URL = scheme + "://" + client_hostname + ":" + client_port + ERROR_PATH;
+
+            // uncomment the following line to write to 'catalina.out'
+            //System.out.println( "Unknown HTTPS server port:  '" + server_port + "'" );
+        }
+    } else {
+        // unacceptable scheme:  should never get here
+        URL = scheme + "://" + client_hostname + ":" + client_port + ERROR_PATH;
+
+        // uncomment the following line to write to 'catalina.out'
+        //System.out.println( "Unacceptable scheme:  '" + scheme + "'" );
+    }
+
+    // respond (back to browser) with the appropriate redirected URL
+    response.sendRedirect( URL );
 %>
diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java
index 1a94cb295..72f299278 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java
@@ -67,7 +67,7 @@ public class AdminRequestFilter implements Filter
             }
 
             // Always obtain an "https" port from request
-            port = request.getServerPort();
+            port = request.getLocalPort();
             request_port = Integer.toString( port );
 
             // Always obtain the "https" port passed in as a parameter
diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java
index 542ca4232..f8385f1f9 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java
@@ -67,7 +67,7 @@ public class AgentRequestFilter implements Filter
             }
 
             // Always obtain an "https" port from request
-            port = request.getServerPort();
+            port = request.getLocalPort();
             request_port = Integer.toString( port );
 
             // Always obtain the "https" port passed in as a parameter
diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java
index 9a63e1a58..ef78a799a 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java
@@ -67,7 +67,7 @@ public class EEClientAuthRequestFilter implements Filter
             }
 
             // Always obtain an "https" port from request
-            port = request.getServerPort();
+            port = request.getLocalPort();
             request_port = Integer.toString( port );
 
             // Always obtain the "https" port passed in as a parameter
diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java
index 1f93e080f..dfaf2902d 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java
@@ -73,7 +73,7 @@ public class EERequestFilter implements Filter
             }
 
             // Always obtain either an "http" or an "https" port from request
-            port = request.getServerPort();
+            port = request.getLocalPort();
             request_port = Integer.toString( port );
 
             // Always obtain the "http" port passed in as a parameter
diff --git a/pki/base/kra/shared/webapps/ROOT/index.jsp b/pki/base/kra/shared/webapps/ROOT/index.jsp
index 3e23e05b0..4b2b3c60a 100644
--- a/pki/base/kra/shared/webapps/ROOT/index.jsp
+++ b/pki/base/kra/shared/webapps/ROOT/index.jsp
@@ -1,9 +1,98 @@
+<!-- --- BEGIN COPYRIGHT BLOCK ---
+     This program is free software; you can redistribute it and/or modify
+     it under the terms of the GNU General Public License as published by
+     the Free Software Foundation; version 2 of the License.
+
+     This program is distributed in the hope that it will be useful,
+     but WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+     GNU General Public License for more details.
+
+     You should have received a copy of the GNU General Public License along
+     with this program; if not, write to the Free Software Foundation, Inc.,
+     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+     Copyright (C) 2010 Red Hat, Inc.
+     All rights reserved.
+     --- END COPYRIGHT BLOCK --- -->
 <%
-  String op = request.getParameter("op");
-  if (op == null || op.equals("")) {
-    String redirectURL = "/ca/ee/ca";
-    response.sendRedirect(redirectURL);
-  } else if (op.equals("enroll")) {
-    /* redirect to enrollment servlet */
-  }
+    // establish acceptable schemes
+    final String HTTP_SCHEME = "http";
+    final String HTTPS_SCHEME = "https";
+
+    // establish known ports
+    final int EE_HTTP_PORT = [PKI_UNSECURE_PORT];
+    final int AGENT_HTTPS_PORT = [PKI_AGENT_SECURE_PORT];
+    final int EE_HTTPS_PORT = [PKI_EE_SECURE_PORT];
+    final int ADMIN_HTTPS_PORT = [PKI_ADMIN_SECURE_PORT];
+
+    // establish known paths
+    final String ADMIN_PATH = "/[PKI_SUBSYSTEM_TYPE]/services";
+    final String AGENT_PATH = "/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE]";
+    final String ERROR_PATH = "/[PKI_SUBSYSTEM_TYPE]/404.html";
+
+    // retrieve scheme from request
+    String scheme = request.getScheme();
+
+    // retrieve client hostname on which the request was sent
+    String client_hostname = request.getServerName();
+
+    // retrieve client port number on which the request was sent
+    int client_port = request.getServerPort();
+
+    // retrieve server hostname on which the request was received
+    String server_hostname = request.getLocalName();
+
+    // retrieve server port number on which the request was received
+    int server_port = request.getLocalPort();
+
+    // uncomment the following lines to write to 'catalina.out'
+    //System.out.println( "scheme = '" + scheme + "'" );
+    //System.out.println( "client hostname = '" + client_hostname + "'" );
+    //System.out.println( "client port = '" + client_port + "'" );
+    //System.out.println( "server hostname = '" + server_hostname + "'" );
+    //System.out.println( "server port = '" + server_port + "'" );
+
+    // compose the appropriate URL
+    String URL = "";
+
+    if( scheme.equals( HTTP_SCHEME ) ) {
+        if( server_port == EE_HTTP_PORT ) {
+            // always redirect to secure admin 'services' port
+            scheme = HTTPS_SCHEME;
+            client_port = ADMIN_HTTPS_PORT;
+            URL = scheme + "://" + client_hostname + ":" + client_port + ADMIN_PATH;
+        } else {
+            // unknown HTTP server port:  should never get here
+            URL = scheme + "://" + client_hostname + ":" + client_port + ERROR_PATH;
+
+            // uncomment the following line to write to 'catalina.out'
+            //System.out.println( "Unknown HTTP server port:  '" + server_port + "'" );
+        }
+    } else if( scheme.equals( HTTPS_SCHEME ) ) {
+        if( server_port == AGENT_HTTPS_PORT ) {
+            URL = scheme + "://" + client_hostname + ":" + client_port + AGENT_PATH;
+        } else if( server_port == EE_HTTPS_PORT ) {
+            // always redirect to secure admin 'services' port
+            client_port = ADMIN_HTTPS_PORT;
+            URL = scheme + "://" + client_hostname + ":" + client_port + ADMIN_PATH;
+        } else if( server_port == ADMIN_HTTPS_PORT ) {
+            URL = scheme + "://" + client_hostname + ":" + client_port + ADMIN_PATH;
+        } else {
+            // unknown HTTPS server port:  should never get here
+            URL = scheme + "://" + client_hostname + ":" + client_port + ERROR_PATH;
+
+            // uncomment the following line to write to 'catalina.out'
+            //System.out.println( "Unknown HTTPS server port:  '" + server_port + "'" );
+        }
+    } else {
+        // unacceptable scheme:  should never get here
+        URL = scheme + "://" + client_hostname + ":" + client_port + ERROR_PATH;
+
+        // uncomment the following line to write to 'catalina.out'
+        //System.out.println( "Unacceptable scheme:  '" + scheme + "'" );
+    }
+
+    // respond (back to browser) with the appropriate redirected URL
+    response.sendRedirect( URL );
 %>
diff --git a/pki/base/ocsp/shared/webapps/ROOT/index.jsp b/pki/base/ocsp/shared/webapps/ROOT/index.jsp
index d3a2276bd..4b2b3c60a 100644
--- a/pki/base/ocsp/shared/webapps/ROOT/index.jsp
+++ b/pki/base/ocsp/shared/webapps/ROOT/index.jsp
@@ -1,13 +1,98 @@
 <!-- --- BEGIN COPYRIGHT BLOCK ---
-     Copyright (C) 2006 Red Hat, Inc.
+     This program is free software; you can redistribute it and/or modify
+     it under the terms of the GNU General Public License as published by
+     the Free Software Foundation; version 2 of the License.
+
+     This program is distributed in the hope that it will be useful,
+     but WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+     GNU General Public License for more details.
+
+     You should have received a copy of the GNU General Public License along
+     with this program; if not, write to the Free Software Foundation, Inc.,
+     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+     Copyright (C) 2010 Red Hat, Inc.
      All rights reserved.
      --- END COPYRIGHT BLOCK --- -->
 <%
-  String op = request.getParameter("op");
-  if (op == null || op.equals("")) {
-    String redirectURL = "/ca/ee/ca";
-    response.sendRedirect(redirectURL);
-  } else if (op.equals("enroll")) {
-    /* redirect to enrollment servlet */
-  }
+    // establish acceptable schemes
+    final String HTTP_SCHEME = "http";
+    final String HTTPS_SCHEME = "https";
+
+    // establish known ports
+    final int EE_HTTP_PORT = [PKI_UNSECURE_PORT];
+    final int AGENT_HTTPS_PORT = [PKI_AGENT_SECURE_PORT];
+    final int EE_HTTPS_PORT = [PKI_EE_SECURE_PORT];
+    final int ADMIN_HTTPS_PORT = [PKI_ADMIN_SECURE_PORT];
+
+    // establish known paths
+    final String ADMIN_PATH = "/[PKI_SUBSYSTEM_TYPE]/services";
+    final String AGENT_PATH = "/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE]";
+    final String ERROR_PATH = "/[PKI_SUBSYSTEM_TYPE]/404.html";
+
+    // retrieve scheme from request
+    String scheme = request.getScheme();
+
+    // retrieve client hostname on which the request was sent
+    String client_hostname = request.getServerName();
+
+    // retrieve client port number on which the request was sent
+    int client_port = request.getServerPort();
+
+    // retrieve server hostname on which the request was received
+    String server_hostname = request.getLocalName();
+
+    // retrieve server port number on which the request was received
+    int server_port = request.getLocalPort();
+
+    // uncomment the following lines to write to 'catalina.out'
+    //System.out.println( "scheme = '" + scheme + "'" );
+    //System.out.println( "client hostname = '" + client_hostname + "'" );
+    //System.out.println( "client port = '" + client_port + "'" );
+    //System.out.println( "server hostname = '" + server_hostname + "'" );
+    //System.out.println( "server port = '" + server_port + "'" );
+
+    // compose the appropriate URL
+    String URL = "";
+
+    if( scheme.equals( HTTP_SCHEME ) ) {
+        if( server_port == EE_HTTP_PORT ) {
+            // always redirect to secure admin 'services' port
+            scheme = HTTPS_SCHEME;
+            client_port = ADMIN_HTTPS_PORT;
+            URL = scheme + "://" + client_hostname + ":" + client_port + ADMIN_PATH;
+        } else {
+            // unknown HTTP server port:  should never get here
+            URL = scheme + "://" + client_hostname + ":" + client_port + ERROR_PATH;
+
+            // uncomment the following line to write to 'catalina.out'
+            //System.out.println( "Unknown HTTP server port:  '" + server_port + "'" );
+        }
+    } else if( scheme.equals( HTTPS_SCHEME ) ) {
+        if( server_port == AGENT_HTTPS_PORT ) {
+            URL = scheme + "://" + client_hostname + ":" + client_port + AGENT_PATH;
+        } else if( server_port == EE_HTTPS_PORT ) {
+            // always redirect to secure admin 'services' port
+            client_port = ADMIN_HTTPS_PORT;
+            URL = scheme + "://" + client_hostname + ":" + client_port + ADMIN_PATH;
+        } else if( server_port == ADMIN_HTTPS_PORT ) {
+            URL = scheme + "://" + client_hostname + ":" + client_port + ADMIN_PATH;
+        } else {
+            // unknown HTTPS server port:  should never get here
+            URL = scheme + "://" + client_hostname + ":" + client_port + ERROR_PATH;
+
+            // uncomment the following line to write to 'catalina.out'
+            //System.out.println( "Unknown HTTPS server port:  '" + server_port + "'" );
+        }
+    } else {
+        // unacceptable scheme:  should never get here
+        URL = scheme + "://" + client_hostname + ":" + client_port + ERROR_PATH;
+
+        // uncomment the following line to write to 'catalina.out'
+        //System.out.println( "Unacceptable scheme:  '" + scheme + "'" );
+    }
+
+    // respond (back to browser) with the appropriate redirected URL
+    response.sendRedirect( URL );
 %>
diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate
index 1a2b37b21..5dc0a087e 100755
--- a/pki/base/setup/pkicreate
+++ b/pki/base/setup/pkicreate
@@ -246,7 +246,7 @@ my $cmscore_jar_base_name        = "cmscore.jar";          # CA, KRA, OCSP, TKS
 my $conf_base_name               = "conf";                 # CA, KRA, OCSP, TKS,
                                                            # RA, TPS
 my $httpd_conf_base_name         = "httpd.conf";           # RA, TPS
-my $index_html_base_name         = "index.html";           # CA, KRA, OCSP, TKS
+my $index_jsp_base_name          = "index.jsp";            # CA, KRA, OCSP, TKS
 my $logs_base_name               = "logs";                 # CA, KRA, OCSP, TKS,
                                                            # RA, TPS
 my $magic_base_name              = "magic";                # RA, TPS
@@ -516,8 +516,8 @@ my $cmscore_jar_file_path                     = "";  # CA, KRA, OCSP, TKS
 my $cmscore_jar_symlink_path                  = "";  # CA, KRA, OCSP, TKS
 my $httpd_conf_instance_file_path             = "";  # RA, TPS
 my $httpd_conf_subsystem_file_path            = "";  # RA, TPS
-my $index_html_instance_file_path             = "";  # CA, KRA, OCSP, TKS
-my $index_html_subsystem_file_path            = "";  # CA, KRA, OCSP, TKS
+my $index_jsp_instance_file_path              = "";  # CA, KRA, OCSP, TKS
+my $index_jsp_subsystem_file_path             = "";  # CA, KRA, OCSP, TKS
 my $java_pki_flavor_jar_path                  = "";  # CA, KRA, OCSP, TKS
 my $magic_instance_file_path                  = "";  # RA, TPS
 my $magic_subsystem_file_path                 = "";  # RA, TPS
@@ -1849,10 +1849,10 @@ sub initialize_subdirectory_paths()
                                            . "/" . $cmscore_jar_base_name;
         $cmscore_jar_symlink_path          = $webinf_lib_instance_path
                                            . "/" . $cmscore_jar_base_name;
-        $index_html_instance_file_path     = $webapps_root_instance_path
-                                           . "/" . $index_html_base_name;
-        $index_html_subsystem_file_path    = $webapps_root_subsystem_path
-                                           . "/" . $index_html_base_name;
+        $index_jsp_instance_file_path      = $webapps_root_instance_path
+                                           . "/" . $index_jsp_base_name;
+        $index_jsp_subsystem_file_path     = $webapps_root_subsystem_path
+                                           . "/" . $index_jsp_base_name;
         $osutil_jar_file_path              = $default_system_jni_java_path
                                            . "/" . $osutil_jar_base_name;
         $osutil_jar_symlink_path           = $webinf_lib_instance_path
@@ -2859,9 +2859,9 @@ LoadModule nss_module  /opt/fortitude/modules.local/libmodnss.so
               $catalina_sh_instance_file_path );
 
 
-        # process "index.html" template
-        $result = process_file_template( $index_html_subsystem_file_path,
-                                         $index_html_instance_file_path,
+        # process "index.jsp" template
+        $result = process_file_template( $index_jsp_subsystem_file_path,
+                                         $index_jsp_instance_file_path,
                                          \%slot_hash );
         if( !$result ) {
             return 0;
diff --git a/pki/base/tks/shared/webapps/ROOT/index.jsp b/pki/base/tks/shared/webapps/ROOT/index.jsp
index d3a2276bd..4b2b3c60a 100644
--- a/pki/base/tks/shared/webapps/ROOT/index.jsp
+++ b/pki/base/tks/shared/webapps/ROOT/index.jsp
@@ -1,13 +1,98 @@
 <!-- --- BEGIN COPYRIGHT BLOCK ---
-     Copyright (C) 2006 Red Hat, Inc.
+     This program is free software; you can redistribute it and/or modify
+     it under the terms of the GNU General Public License as published by
+     the Free Software Foundation; version 2 of the License.
+
+     This program is distributed in the hope that it will be useful,
+     but WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+     GNU General Public License for more details.
+
+     You should have received a copy of the GNU General Public License along
+     with this program; if not, write to the Free Software Foundation, Inc.,
+     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+     Copyright (C) 2010 Red Hat, Inc.
      All rights reserved.
      --- END COPYRIGHT BLOCK --- -->
 <%
-  String op = request.getParameter("op");
-  if (op == null || op.equals("")) {
-    String redirectURL = "/ca/ee/ca";
-    response.sendRedirect(redirectURL);
-  } else if (op.equals("enroll")) {
-    /* redirect to enrollment servlet */
-  }
+    // establish acceptable schemes
+    final String HTTP_SCHEME = "http";
+    final String HTTPS_SCHEME = "https";
+
+    // establish known ports
+    final int EE_HTTP_PORT = [PKI_UNSECURE_PORT];
+    final int AGENT_HTTPS_PORT = [PKI_AGENT_SECURE_PORT];
+    final int EE_HTTPS_PORT = [PKI_EE_SECURE_PORT];
+    final int ADMIN_HTTPS_PORT = [PKI_ADMIN_SECURE_PORT];
+
+    // establish known paths
+    final String ADMIN_PATH = "/[PKI_SUBSYSTEM_TYPE]/services";
+    final String AGENT_PATH = "/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE]";
+    final String ERROR_PATH = "/[PKI_SUBSYSTEM_TYPE]/404.html";
+
+    // retrieve scheme from request
+    String scheme = request.getScheme();
+
+    // retrieve client hostname on which the request was sent
+    String client_hostname = request.getServerName();
+
+    // retrieve client port number on which the request was sent
+    int client_port = request.getServerPort();
+
+    // retrieve server hostname on which the request was received
+    String server_hostname = request.getLocalName();
+
+    // retrieve server port number on which the request was received
+    int server_port = request.getLocalPort();
+
+    // uncomment the following lines to write to 'catalina.out'
+    //System.out.println( "scheme = '" + scheme + "'" );
+    //System.out.println( "client hostname = '" + client_hostname + "'" );
+    //System.out.println( "client port = '" + client_port + "'" );
+    //System.out.println( "server hostname = '" + server_hostname + "'" );
+    //System.out.println( "server port = '" + server_port + "'" );
+
+    // compose the appropriate URL
+    String URL = "";
+
+    if( scheme.equals( HTTP_SCHEME ) ) {
+        if( server_port == EE_HTTP_PORT ) {
+            // always redirect to secure admin 'services' port
+            scheme = HTTPS_SCHEME;
+            client_port = ADMIN_HTTPS_PORT;
+            URL = scheme + "://" + client_hostname + ":" + client_port + ADMIN_PATH;
+        } else {
+            // unknown HTTP server port:  should never get here
+            URL = scheme + "://" + client_hostname + ":" + client_port + ERROR_PATH;
+
+            // uncomment the following line to write to 'catalina.out'
+            //System.out.println( "Unknown HTTP server port:  '" + server_port + "'" );
+        }
+    } else if( scheme.equals( HTTPS_SCHEME ) ) {
+        if( server_port == AGENT_HTTPS_PORT ) {
+            URL = scheme + "://" + client_hostname + ":" + client_port + AGENT_PATH;
+        } else if( server_port == EE_HTTPS_PORT ) {
+            // always redirect to secure admin 'services' port
+            client_port = ADMIN_HTTPS_PORT;
+            URL = scheme + "://" + client_hostname + ":" + client_port + ADMIN_PATH;
+        } else if( server_port == ADMIN_HTTPS_PORT ) {
+            URL = scheme + "://" + client_hostname + ":" + client_port + ADMIN_PATH;
+        } else {
+            // unknown HTTPS server port:  should never get here
+            URL = scheme + "://" + client_hostname + ":" + client_port + ERROR_PATH;
+
+            // uncomment the following line to write to 'catalina.out'
+            //System.out.println( "Unknown HTTPS server port:  '" + server_port + "'" );
+        }
+    } else {
+        // unacceptable scheme:  should never get here
+        URL = scheme + "://" + client_hostname + ":" + client_port + ERROR_PATH;
+
+        // uncomment the following line to write to 'catalina.out'
+        //System.out.println( "Unacceptable scheme:  '" + scheme + "'" );
+    }
+
+    // respond (back to browser) with the appropriate redirected URL
+    response.sendRedirect( URL );
 %>
diff --git a/pki/base/ca/shared/webapps/ROOT/index.html b/pki/dogtag/ca-ui/shared/webapps/ca/admin/index.html
index ecfd741c9..30662d47a 100644
--- a/pki/base/ca/shared/webapps/ROOT/index.html
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/admin/index.html
@@ -16,7 +16,8 @@
      All rights reserved.
      --- END COPYRIGHT BLOCK --- -->
 <html>
-<head>
-<meta http-equiv="refresh" content="0; URL=https://[PKI_MACHINE_NAME]:[PKI_SECURE_PORT]/ca/services">
-</head>
+<script lang="javascript">
+    // redirect to 'ROOT'
+    window.location = "/";
+</script>
 </html>
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/agent/index.html b/pki/dogtag/ca-ui/shared/webapps/ca/agent/index.html
index 8302f4d4a..30662d47a 100644
--- a/pki/dogtag/ca-ui/shared/webapps/ca/agent/index.html
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/agent/index.html
@@ -15,7 +15,9 @@
      Copyright (C) 2007 Red Hat, Inc.
      All rights reserved.
      --- END COPYRIGHT BLOCK --- -->
-<HTML>
-<meta http-equiv="Refresh" content="0;URL=/index">
-<link rel="shortcut icon" href="/ca/agent/graphics/favicon.ico" />
-</HTML>
+<html>
+<script lang="javascript">
+    // redirect to 'ROOT'
+    window.location = "/";
+</script>
+</html>
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/ee/index.html b/pki/dogtag/ca-ui/shared/webapps/ca/ee/index.html
index 44b6deaaf..30662d47a 100644
--- a/pki/dogtag/ca-ui/shared/webapps/ca/ee/index.html
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/ee/index.html
@@ -16,15 +16,8 @@
      All rights reserved.
      --- END COPYRIGHT BLOCK --- -->
 <html>
-<link rel="shortcut icon" href="/ca/ee/graphics/favicon.ico" />
-<script lang="javascript" src="/ca/ee/dynamicVars.js"></script>
 <script lang="javascript">
-  if (subsystemname == 'ca') {
-    window.location = "/ca";
-  }else if (subsystemname == 'ra') {
-    window.location="/ra";
-  }else if (subsystemname == 'ocsp') {
-    document.writeln("There is no GUI interface for OCSP client.");
-  }
+    // redirect to 'ROOT'
+    window.location = "/";
 </script>
 </html>
diff --git a/pki/base/kra/shared/webapps/ROOT/index.html b/pki/dogtag/ca-ui/shared/webapps/ca/index.html
index a483baabf..30662d47a 100644
--- a/pki/base/kra/shared/webapps/ROOT/index.html
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/index.html
@@ -16,7 +16,8 @@
      All rights reserved.
      --- END COPYRIGHT BLOCK --- -->
 <html>
-<head>
-<meta http-equiv="refresh" content="0; URL=https://[PKI_MACHINE_NAME]:[PKI_SECURE_PORT]/kra/services">
-</head>
+<script lang="javascript">
+    // redirect to 'ROOT'
+    window.location = "/";
+</script>
 </html>
diff --git a/pki/dogtag/kra-ui/shared/webapps/kra/agent/index.html b/pki/dogtag/kra-ui/shared/webapps/kra/agent/index.html
index aa8805945..30662d47a 100644
--- a/pki/dogtag/kra-ui/shared/webapps/kra/agent/index.html
+++ b/pki/dogtag/kra-ui/shared/webapps/kra/agent/index.html
@@ -15,8 +15,9 @@
      Copyright (C) 2007 Red Hat, Inc.
      All rights reserved.
      --- END COPYRIGHT BLOCK --- -->
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<HTML>
-<meta http-equiv="Refresh" content="0;URL=/index">
-<link rel="shortcut icon" href="/kra/agent/graphics/favicon.ico" />
-</HTML>
+<html>
+<script lang="javascript">
+    // redirect to 'ROOT'
+    window.location = "/";
+</script>
+</html>
diff --git a/pki/base/tks/shared/webapps/ROOT/index.html b/pki/dogtag/kra-ui/shared/webapps/kra/index.html
index 1cf44b26b..30662d47a 100644
--- a/pki/base/tks/shared/webapps/ROOT/index.html
+++ b/pki/dogtag/kra-ui/shared/webapps/kra/index.html
@@ -16,7 +16,8 @@
      All rights reserved.
      --- END COPYRIGHT BLOCK --- -->
 <html>
-<head>
-<meta http-equiv="refresh" content="0; URL=https://[PKI_MACHINE_NAME]:[PKI_SECURE_PORT]/tks/services">
-</head>
+<script lang="javascript">
+    // redirect to 'ROOT'
+    window.location = "/";
+</script>
 </html>
diff --git a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/index.html b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/index.html
index 5a400ee13..30662d47a 100644
--- a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/index.html
+++ b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/index.html
@@ -15,7 +15,9 @@
      Copyright (C) 2007 Red Hat, Inc.
      All rights reserved.
      --- END COPYRIGHT BLOCK --- -->
-<HTML>
-<meta http-equiv="Refresh" content="0;URL=/index">
-<link rel="shortcut icon" href="/ocsp/agent/graphics/favicon.ico" />
-</HTML>
+<html>
+<script lang="javascript">
+    // redirect to 'ROOT'
+    window.location = "/";
+</script>
+</html>
diff --git a/pki/base/ocsp/shared/webapps/ROOT/index.html b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/index.html
index 4ebf3fe5f..30662d47a 100644
--- a/pki/base/ocsp/shared/webapps/ROOT/index.html
+++ b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/index.html
@@ -16,7 +16,8 @@
      All rights reserved.
      --- END COPYRIGHT BLOCK --- -->
 <html>
-<head>
-<meta http-equiv="refresh" content="0; URL=https://[PKI_MACHINE_NAME]:[PKI_SECURE_PORT]/ocsp/services">
-</head>
+<script lang="javascript">
+    // redirect to 'ROOT'
+    window.location = "/";
+</script>
 </html>
diff --git a/pki/dogtag/tks-ui/shared/webapps/tks/agent/index.html b/pki/dogtag/tks-ui/shared/webapps/tks/agent/index.html
index ee2cd2e0b..30662d47a 100644
--- a/pki/dogtag/tks-ui/shared/webapps/tks/agent/index.html
+++ b/pki/dogtag/tks-ui/shared/webapps/tks/agent/index.html
@@ -15,8 +15,9 @@
      Copyright (C) 2007 Red Hat, Inc.
      All rights reserved.
      --- END COPYRIGHT BLOCK --- -->
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<HTML>
-<meta http-equiv="Refresh" content="0;URL=/index">
-<link rel="shortcut icon" href="/tks/agent/graphics/favicon.ico" />
-</HTML>
+<html>
+<script lang="javascript">
+    // redirect to 'ROOT'
+    window.location = "/";
+</script>
+</html>
diff --git a/pki/dogtag/tks-ui/shared/webapps/tks/index.html b/pki/dogtag/tks-ui/shared/webapps/tks/index.html
new file mode 100644
index 000000000..30662d47a
--- /dev/null
+++ b/pki/dogtag/tks-ui/shared/webapps/tks/index.html
@@ -0,0 +1,23 @@
+<!-- --- BEGIN COPYRIGHT BLOCK ---
+     This program is free software; you can redistribute it and/or modify
+     it under the terms of the GNU General Public License as published by
+     the Free Software Foundation; version 2 of the License.
+
+     This program is distributed in the hope that it will be useful,
+     but WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+     GNU General Public License for more details.
+
+     You should have received a copy of the GNU General Public License along
+     with this program; if not, write to the Free Software Foundation, Inc.,
+     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+     Copyright (C) 2007 Red Hat, Inc.
+     All rights reserved.
+     --- END COPYRIGHT BLOCK --- -->
+<html>
+<script lang="javascript">
+    // redirect to 'ROOT'
+    window.location = "/";
+</script>
+</html>