Olivier - No one so far has mentioned it, but yes, you are seeing behavior as designed. The CONFIDENTIAL setting causes Tomcat to send a redirect to SSL if the request comes in on standard HTTP. If your true intent is not to allow *ANY* traffic over HTTP, then you need to remove your HTTP <Connector> from the server.xml. However, leaving it this way is a "nicety" for the end user.
Jeff > -----Original Message----- > From: Olivier Lefevre [mailto:lefev...@yahoo.com] > Sent: Monday, March 07, 2011 4:16 AM > To: users@tomcat.apache.org > Subject: Forcing SSL use > > I put this in my webapp's web.xml, then intent being to > allow GET and POST over https and nothing else: > > <security-constraint> > <web-resource-collection> > <web-resource-name>forbidden</web-resource-name> > <url-pattern>/*</url-pattern> > <http-method>HEAD</http-method> > <http-method>PUT</http-method> > <http-method>DELETE</http-method> > <http-method>OPTIONS</http-method> > <http-method>TRACE</http-method> > </web-resource-collection> > <auth-constraint/> > </security-constraint> > > <security-constraint> > <web-resource-collection> > <web-resource-name>secure</web-resource-name> > <url-pattern>/*</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > However when I try an http URL @ port 8080, i.e., a GET request, > instead of getting a 403 error as expected the URL in the browser > mutates all by itself to an https @ post 8443 and succeeds. Is > it the correct behaviour? To my reading the spec is vague as to > what exactly should happen then. > > Thanks, > > -- O.L. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > __________________________________________________________________________ Confidentiality Notice: This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
