Comments inline below.
On 6/4/2012 4:18 PM, Konstantin Kolinko wrote:
2012/6/5 Timothy J Schumacher<tim.schumac...@colorado.edu>:
We make a piece of IT equipment with tomcat running inside serving an
application that acts as the administration console for the device. There
is also a firefox browser running inside the equipment that exposes the web
application in question on the front panel touchscreen of the device. The
device also can be plugged into a network to facilitate remote management
via the web application. (...)
Why do you need transport CONFIDENTIAL in your web.xml? Do you have
some pages that are accessed via HTTP and some that are only HTTPS on
the same Tomcat? That is when you need HTTP -> HTTPS redirection when
user comes to the protected part.
I think you are right, I do not really need that. I guess I was really
just using CONFIDENTIAL to automatically do the redirect to the https
port for me. If I want to have http on port 80 still open to remote
users, what is the best way to automatically respond to all requests on
http port 80 with a redirect to port 443 without using transport
CONFIDENTIAL in my web.xml? This is just a convenience to users who
forget to put https (like me) when they open up a browser and type in a
url. Should I implement a servlet filter that responds to all requests
on port 80 with the redirect?
If your tomcat serves only administrative console webapp, I think it
could be a more simple configuration:
1) remove transport-guarantee CONFIDENTIAL
2) configure HTTPS connector that is accessible from outside
(either do not specify address - to bind on all of them, or specify
device's public IP)
3) configure HTTP connector with address="127.0.0.1" (no need for
secure="true")
This way the HTTP connector binds on the loopback address only and is
not accessible from outside, regardless of your web.xml.
Yes, this is way better-Thanks! I guess I wasn't realizing that forcing
clients to use https implies "transport confidential" without actually
configuring transport confidential in the web.xml.
If things are more complicated, you could implement a Filter that does
the same job as transport-guarantee. The Connector that the client
connects to could be distinguished by ServletRequest.getLocalAddr(),
getLocalPort(), getScheme().
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
