tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joe Shevland" <shevla...@kpi.com.au>
Subject RE: Tomcat 3.1 + HTTPS + redirects
Date Mon, 07 Aug 2000 11:32:43 GMT
Excuse my lurker status until now, but I've been puzzled by request.getScheme() not returning
'https' for SSL connections as well... even going back to JServ days. I've also verified (out
of sheer paranoia ;) that the connections are encrypted (via a traffic capture). Having said
that, I couldn't rely on Jserv/Tomcat to tell me whether a connection was via SSL or not (hadn't
spotted the isSecure() method yet).

I've also had problems with response.sendRedirect() which up until now I've worked around
using absolute URL's i.e. not optimal ;).

Regards,
Joe

>-----Original Message-----
>From: jrumney@venice.ipo.att.com [mailto:jrumney@venice.ipo.att.com]On
>Behalf Of Jason Rumney
>Sent: Monday, 7 August 2000 9:15 PM
>To: tomcat-user@jakarta.apache.org
>Subject: Re: Tomcat 3.1 + HTTPS + redirects
>
>
>Amos Shapira <amos.shapira@webcollage.com> writes:
>
>> Hmm,
>> 
>> First, it sounds possibly like a bug since the description of
>> javax.servlet.ServletRequest.getScheme() specifically lists "http" and
>> "https" as examples of possible return values.
>> 
>> Another way, not as clean as the originally proposed solution (which I
>> understand not to help), but maybe you can get the scheme and
>> add an "s" to it according to the return value of
>> javax.servlet.ServletRequest.isSecure()?
>
>request.isSecure() returns false (which is probably connected to
>getScheme() returning "http").  Ajp12ConnectionHandler.java does not
>appear to set a secure flag, or the scheme, so unless code elsewhere is
>parsing the request line and headers it appears that getScheme() will
>not work in Tomcat 3.1.
>
>
>> Also, are you 100% sure that https was actually used and not dropped
>> due to some certificate problems and such?
>
>I would be very surprised, and worried, if mod_ssl does such things
>silently behind the back of both user and server administrator.
>Certainly the logs indicate that "SSLv3 RC4-MD5" was used for the
>previous POST (which the redirect is being sent in response to).
>
>
>
>-- 
>Jason Rumney <jrumney@att.com>
>AT&T Labs (Redditch, UK)
>
>


Mime
View raw message