-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jeff,
On 6/24/15 11:39 AM, Jeffrey Janner wrote: >> -----Original Message----- From: Mark Thomas >> [mailto:ma...@apache.org] Sent: Tuesday, June 23, 2015 3:18 PM >> To: Tomcat Users List Subject: Re: Settings when SSL terminates >> on the front-end >> >> On 17/06/2015 19:08, Jeffrey Janner wrote: >>> I've been deploying letting Tomcat do it all when it came to >> connectors >>> and SSL, with the app forcing everything to SSL in the >>> <security-constraints> section. Now I'm setting up a haproxy >>> front- >> end >>> that will both terminate the SSL and take care of the redirect >>> from >> HTTP >>> to HTTPS for me and tomcat only running a standard HTTP port on >>> 8080. >>> >>> So my question is, Is it still important for the app to know >>> that it operating "secure", and if so, what settings are a >>> must? >> >> Yes it is extremely important. >> >> You need secure="true" for everything received over HTTPS and >> secure="false" for everything received over HTTP. >> >> It is simpler in your case since Tomcat only ever sees traffic >> that has been received over HTTPS. >> >> There are several ways to ensure secure="true" >> >> In your case, setting on the connector is the simplest and best >> option. >> >> If proxying over AJP, the AJP connector takes care of it. >> >> The RemoteIP[Valve|Filter] or the SSLValve can handle this if >> proxying over HTTP. >> >> >> There are several reasons it is important (the first reason is >> the big one): >> >> 1. cookies created over secure connections will have the secure >> flag set which will ensure that browsers never send the cookie >> over HTTP. I once watched a customer go very white while I was >> explaining this when they realised that their banking app was >> sending authentication cookies over HTTP connections. >> >> 2. The user data constraint in web.xml will only be satisfied if >> secure="true" >> >> HTH, >> >> Mark > > Thanks for the confirmation Mark. That is what I thought I'd > gleaned from previous posts. I will be sure to mark the http > connection secure="true" in my Tomcat instances. > > I gather from #2 above, that having the secure setting on the http > port, it won't really matter if the <security-constraints> exists > in the web.xml or not, because Tomcat will assume it is already > secure. Ergo, I don't have to get the developers to remove it. Tomcat will assume that it is secure, but you should definitely leave it in web.xml in case the deployment changes. You always want the application to protect itself. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVitHpAAoJEBzwKT+lPKRYgZYQAJwGeIWkxjzEFlKeTV4WjF8i eujTfhQv4z2YPvchW8w/evykk/7jb2NGfGvJEHQ1EGm/FcSEs3wEX1/BT5CCjQ1U bVWoBrL9VcDZ4TnYVH+NvYvEa+r4oOB7gO57FjooS9vtbIQkt/0F7F1cfyZwBwmB UMMPy4K1l3+sFQvjo19xND16hx5Y21I5ANYCgNmIygMi5O0hit9qE/hlwUUlQxXq 1LMjcNkC3Ls7SvIg5mUIEIMMTovNUJpaWT86nPrcO1AX5IkXhUXWvlhyqncti1M5 dSg3CzleMRM1PYx4jGsMt3bri8MVMYknc99WpMFCTVDletusdJQvAqyaB4WKIrdi /vX1SldamSVhwBtqT6xooEIagwOotG5GjUokd4UTOmHa56BPmER+L1VZGNjB4HzV pA5cyp5Ez7LQ381I94klklo2B99o/c4Gadu56YviS2xNcBpZA+s+GshwQeaKuQOJ LbeyZWpXnb2Bvq2whr7cXNUVEr2j5eKvYo0eLMLz2LdJmkxfjWg808NqOZ1FpxW9 7ysh7ryuhydhO83MPNJkz29ObbueQ53UUbPLPo6Gx2ou4v2M4KVV9KNOltdHbVyG gaFXKxyBExMDRdYNOG2+v+9S5dCBhUBQr6sQtSFGLdIHfTb8ni68wRWhtvuLX2ep 0W8YmmsZvn62TkVz6F14 =yD+Y -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
