Menu
I did the following steps:
1) Created a self-signed certificate via keytool
2) Configured a connector on 8443 port in server.xml
3) Checked that both localhost:8080 and localhost:8433 are accessible
4) Added the following security constraint to my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
When I go to http://localhost:8080/MyApp/, there is no redirect to https://localhost:8443/MyApp/. As far as I understand, requests using HTTP for URLs whose transport guarantee is CONFIDENTIAL should be automatically redirected to the same URL using HTTPS.
However, my app remains accessible, and works using both HTTP and HTTPS. I am using Tomcat 6.0.36. What am I missing?
Thanks in advance.
706
Answering my own question.
I found out that this behavior is caused by secure flag of HTTP connector. I set it previously for testing purposes, and forgot about it.
When HTTP connector has secure="true" and there are no existing JSESSIONID cookies in a browser:
When HTTP connector has secure="false":
106
Actually this configuration works pretty well. With those settings you get 302 REDIRECT to https port. In normal case it happens transparently (e.g. in browser, postman) thats, why it works. If you realy need to make sure if it works as expected you can use CURL with verbose output for that
curl -v http://localhost:80/your_resources/
then you will see each step and redirect command to
https://localhost:443/your_resources/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
