Menu
There are a lot of manuals how to enable auto redirect from HTTP to HTTPS. But I need to disable such redirect (according to this advice SSL everywhere - all the time). I use Tomcat 7.x and I need to implement next things:
All resources are protected (via config in web.xml) [done]
<security-constraint>
<web-resource-collection>
<web-resource-name>Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I tried to remove redirectPort in server.xml already,
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000"/>
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />
but it lead to a redirect to 443 port only (but I expected disabled redirect).
So my question is: how to disable auto redirect from HTTP to HTTPS and return the error?
863
HSTS is a security feature that forces the browser to use HTTPS even when accessing an HTTP URL. The browser will start using HSTS for a domain after receiving a Strict-Transport-Security header from the server. The browser also ships with a list of domains for which HSTS is enabled by default.
You can configure two virtual hosts (one for http and one for https) which connect to the respective Tomcat backend servlets. You can look at this question for config examples. You want to do almost exactly the same thing.
Comment out block in conf/web.xml. Doing that, redirectPort will be ignored.
65
Take a look at the documentation:
redirectPort – If this Connector is supporting non-SSL requests, and a request is received for which a matching requires SSL transport, Catalina will automatically redirect the request to the port number specified here.
The redirectPort indicates only the port, but does not allow / disallow redirect, and if it is not specified, Catalina will redirect to the default https port (i.e. 443).
So check your web.xml files (WEB-INF/web.xml and CATALINA_HOME/conf/web.xml), at the end you may see security-constraint with <web-resource-name>HTTPSOnly</web-resource-name> or <transport-guarantee>CONFIDENTIAL</transport-guarantee>. Edit the HTTPSOnly to HTTPSOrHTTP and the CONFIDENTIAL to NONE.
37
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
