Amey, On 3/28/16 11:25 AM, Amey Rokde wrote: > May be i didn't explained my question properly. What we have is a single > web application running on https port 7070. This port is configured for > https connection only and that the reason there is single connector. What > we are seeing is if by mistake > or intentionally the user types instead of https://localhost:7070/myapp he > types http://localhost:7070/myapp > the content with some garbled data gets downloaded. The question is > whether i can prevent the garbled data and if so how i can do that.
There is currently no Tomcat-only solution that meets all of your criteria (single connector). Apache httpd can respond with a plaintext response (it's a 400, not a 404), but Apache Tomcat is not yet able to do that. I would like to reiterate that there is no security leak, here. -chris > On Mon, Mar 28, 2016 at 7:15 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Amey, > > On 3/28/16 3:54 AM, Amey Rokde wrote: >>>> Dear Community >>>> >>>> We are using the apache-tomcat-7.0.55 and have configured only one >>>> SSL connector (7070). >>>> >>>> The SSL connection (https) )works properly and i am able to fetch >>>> the request. But if we make http request we get the garbled data to >>>> be downloaded in the browser. > > This is expected behavior. > >>>> I tried searching over the net but the information available is >>>> more about redirect and things around it. What i want is to prevent >>>> this garbled data and get more of http 404 not found. > > Then you need to make an HTTP connection, not an HTTPS one. It's easy > to configure an HTTP connector that redirects to HTTPS. > >>>> Getting this garbled data is considered more or less security >>>> leak. > > Considered a security leak by whom? There is no information leakage. > There are no secrets being transmitted. This is an inconvenience to > the user that you can easily remedy. > >>>> I am attaching the sample server xml of the tomcat . > > Thanks, but it wasn't relevant (other than to confirm that you weren't > configuring an HTTPS connector on a standard HTTP port such as 80). > >>>> Please advise what needs to be done. > > If you want your users to get a 404, then you should listen on port 80 > (for HTTP) and return 404 for all requests. If you want to do better > than that, you should listen on port 80 (for HTTP) and redirect all > requests to the secure port. > >>>> PS: the higher tomcat versions namely apache-tomcat-8.0.32 does not >>>> show above behaviour. > > It should behave exactly the same way. > > -chris >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
