Search code examples
tomcatjakarta-eehttpsweb.xml

URLs which have the CONFIDENTIAL transport guarantee are still accessible using HTTP

I did the following steps:
1) Created a self-signed certificate via keytool
2) Configured a connector on 8443 port in server.xml
3) Checked that both localhost:8080 and localhost:8433 are accessible
4) Added the following security constraint to my web.xml

<security-constraint>
   <web-resource-collection>
        <web-resource-name>securedapp</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

When I go to http://localhost:8080/MyApp/, there is no redirect to https://localhost:8443/MyApp/. As far as I understand, requests using HTTP for URLs whose transport guarantee is CONFIDENTIAL should be automatically redirected to the same URL using HTTPS.

However, my app remains accessible, and works using both HTTP and HTTPS. I am using Tomcat 6.0.36. What am I missing?

Thanks in advance.

Solution

  • Answering my own question.

    I found out that this behavior is caused by secure flag of HTTP connector. I set it previously for testing purposes, and forgot about it.

    When HTTP connector has secure="true" and there are no existing JSESSIONID cookies in a browser:

    • for HTTP requests JSESSIONID is stored in a URL
    • for HTTPS requests JSESSIONID is stored in a cookie
    • CONFIDENTIAL transport guarantee does not cause the redirect to the same URL using HTTPS

    When HTTP connector has secure="false":

    • as expected, requests using HTTP for URLs whose transport guarantee is CONFIDENTIAL are automatically redirected to the same URL using HTTPS