-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jeffrey,
On 3/7/2011 3:18 PM, Jeffrey Janner wrote:
> No one so far has mentioned it, but yes, you are seeing behavior as
> designed. The CONFIDENTIAL setting causes Tomcat to send a redirect
> to SSL if the request comes in on standard HTTP.
You mi
Olivier -
No one so far has mentioned it, but yes, you are seeing behavior as designed.
The CONFIDENTIAL setting causes Tomcat to send a redirect to SSL if the request
comes in on standard HTTP.
If your true intent is not to allow *ANY* traffic over HTTP, then you need to
remove your HTTP fro
Olivier Lefevre wrote:
On 3/7/2011 1:27 PM, Konstantin Kolinko wrote:
Why do you forbid HEAD? IMHO it should have the same constraints as
GET, because browsers use them together.
OK. That doesn't answer my question, though.
But in the meantime I realized that in the access log there are pairs
On 3/7/2011 1:27 PM, Konstantin Kolinko wrote:
Why do you forbid HEAD? IMHO it should have the same constraints as
GET, because browsers use them together.
OK. That doesn't answer my question, though.
But in the meantime I realized that in the access log there are pairs
of entries with status
2011/3/7 Olivier Lefevre :
> I put this in my webapp's web.xml, then intent being to
> allow GET and POST over https and nothing else:
>
>
>
> forbidden
> /*
> HEAD
> PUT
> DELETE
> OPTIONS
> TRACE
>
>
>
>
>
>
>
