Christoph Fair enough that it is not a security leak . Can you throw some light on what's happening internally so as to understand why we get this garbled data to be downloaded.
sorry for pushing Amey On Mon, Mar 28, 2016 at 10:00 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > Amey, > > On 3/28/16 11:25 AM, Amey Rokde wrote: > > May be i didn't explained my question properly. What we have is a single > > web application running on https port 7070. This port is configured for > > https connection only and that the reason there is single connector. What > > we are seeing is if by mistake > > or intentionally the user types instead of https://localhost:7070/myapp > he > > types http://localhost:7070/myapp > > the content with some garbled data gets downloaded. The question is > > whether i can prevent the garbled data and if so how i can do that. > > There is currently no Tomcat-only solution that meets all of your > criteria (single connector). > > Apache httpd can respond with a plaintext response (it's a 400, not a > 404), but Apache Tomcat is not yet able to do that. > > I would like to reiterate that there is no security leak, here. > > -chris > > > On Mon, Mar 28, 2016 at 7:15 PM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Amey, > > > > On 3/28/16 3:54 AM, Amey Rokde wrote: > >>>> Dear Community > >>>> > >>>> We are using the apache-tomcat-7.0.55 and have configured only one > >>>> SSL connector (7070). > >>>> > >>>> The SSL connection (https) )works properly and i am able to fetch > >>>> the request. But if we make http request we get the garbled data to > >>>> be downloaded in the browser. > > > > This is expected behavior. > > > >>>> I tried searching over the net but the information available is > >>>> more about redirect and things around it. What i want is to prevent > >>>> this garbled data and get more of http 404 not found. > > > > Then you need to make an HTTP connection, not an HTTPS one. It's easy > > to configure an HTTP connector that redirects to HTTPS. > > > >>>> Getting this garbled data is considered more or less security > >>>> leak. > > > > Considered a security leak by whom? There is no information leakage. > > There are no secrets being transmitted. This is an inconvenience to > > the user that you can easily remedy. > > > >>>> I am attaching the sample server xml of the tomcat . > > > > Thanks, but it wasn't relevant (other than to confirm that you weren't > > configuring an HTTPS connector on a standard HTTP port such as 80). > > > >>>> Please advise what needs to be done. > > > > If you want your users to get a 404, then you should listen on port 80 > > (for HTTP) and return 404 for all requests. If you want to do better > > than that, you should listen on port 80 (for HTTP) and redirect all > > requests to the secure port. > > > >>>> PS: the higher tomcat versions namely apache-tomcat-8.0.32 does not > >>>> show above behaviour. > > > > It should behave exactly the same way. > > > > -chris > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
