This came up a week or so ago. Check here for a very comprehensive reply from Milt Epstein. In short, isSecure is exactly the method you should use, and it does know if the original request is SSL or not. If it is always returning 'false', something else is going on.
http://marc.theaimsgroup.com/?l=tomcat-user&m=103608496529118&w=2 John > -----Original Message----- > From: Chris Parker [mailto:cparker@;cya.ca.gov] > Sent: Thursday, November 07, 2002 12:21 PM > To: Tomcat Users List > Subject: Re: Tomcat-Apache SSL - Extension Question > > > [reply] > > You need to understand the difference between running Tomcat > > standalone and integrated with a web server (such as Apache). > .. > [snip] > [/reply] > > Knowing all this, is there a way for a servlet to reliably > know whether > Apache is currently replying to http or https? The Apache > connector portion > works perfectly using two different IP addresses and IP#1 > being non-secure, > while IP#2 is secure. I'm having a bit of difficulty with > 'response.sendRedirect([relativeURL])' where one application > contains both > secure and non-secure content. I've seen this question asked > in several > threads, but haven't seen a definitive answer. > > - 'servletRequest.isSecure()' (okay, an extension of...) doesn't work > because the traffic between Apache and Tomcat isn't > encrypted. 'isSecure()' > _always_ returns false, since the traffic it's receiving > isn't encrypted. > > - I've tried using 'request.getRequestURL()' to dynamically > decide whether > the traffic is secure: i.e. > http://server/directory/referringpage.jsp == not > secure so a relativeURL to newpage.jsp will work; > http://server:443/directory/referringpage.jsp == secure so I > parse out the > server name, append 'https', and use an initial parameter for > the port (in > this case an empty string - but it could be ':8443'). The > problem is that > 'getRequestURL' indicates where the request came _from_, so a > redirect from > a secure page to a non-secure page fails. > > - Currently I put the fully qualified URL for both http and > https in an > initial parameter in web.xml, then I just append that to my URL in a > redirect. At least I can move code to a new server without > recompiling the > whole mess. The problem is that I don't want to depend on > the code knowing > whether it is forwarding to a secure page. > > Has anyone found a better way to do this? > > <=======================> > Chris Parker > Programmer/Analyst > Health Care Services Division > California Youth Authority > > > > -- > To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org> -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
