I did the following steps:
1) Created a self-signed certificate via keytool
2) Configured a connector on 8443 port in server.xml
3) Checked that both localhost:8080 and localhost:8433 are accessible
4) Added the following security constraint to my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
When I go to http://localhost:8080/MyApp/
, there is no redirect to https://localhost:8443/MyApp/
. As far as I understand, requests using HTTP for URLs whose transport guarantee is CONFIDENTIAL should be automatically redirected to the same URL using HTTPS.
However, my app remains accessible, and works using both HTTP and HTTPS. I am using Tomcat 6.0.36. What am I missing?
Thanks in advance.
Answering my own question.
I found out that this behavior is caused by secure
flag of HTTP connector. I set it previously for testing purposes, and forgot about it.
When HTTP connector has secure="true"
and there are no existing JSESSIONID cookies in a browser:
When HTTP connector has secure="false"
: