Return-Path: Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 22458 invoked from network); 7 Aug 2000 11:30:06 -0000 Received: from www.kpi.com.au (203.39.132.210) by locus.apache.org with SMTP; 7 Aug 2000 11:30:06 -0000 Received: from grail (lurker.kpi.com.au [203.39.132.222]) by www.kpi.com.au (8.9.3/8.9.3) with SMTP id VAA75287 for ; Mon, 7 Aug 2000 21:33:29 +1000 (EST) (envelope-from shevlandj@kpi.com.au) From: "Joe Shevland" To: Subject: RE: Tomcat 3.1 + HTTPS + redirects Date: Mon, 7 Aug 2000 21:32:43 +1000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N Excuse my lurker status until now, but I've been puzzled by = request.getScheme() not returning 'https' for SSL connections as well... = even going back to JServ days. I've also verified (out of sheer paranoia = ;) that the connections are encrypted (via a traffic capture). Having = said that, I couldn't rely on Jserv/Tomcat to tell me whether a = connection was via SSL or not (hadn't spotted the isSecure() method = yet). I've also had problems with response.sendRedirect() which up until now = I've worked around using absolute URL's i.e. not optimal ;). Regards, Joe >-----Original Message----- >From: jrumney@venice.ipo.att.com [mailto:jrumney@venice.ipo.att.com]On >Behalf Of Jason Rumney >Sent: Monday, 7 August 2000 9:15 PM >To: tomcat-user@jakarta.apache.org >Subject: Re: Tomcat 3.1 + HTTPS + redirects > > >Amos Shapira writes: > >> Hmm, >>=20 >> First, it sounds possibly like a bug since the description of >> javax.servlet.ServletRequest.getScheme() specifically lists "http" = and >> "https" as examples of possible return values. >>=20 >> Another way, not as clean as the originally proposed solution (which = I >> understand not to help), but maybe you can get the scheme and >> add an "s" to it according to the return value of >> javax.servlet.ServletRequest.isSecure()? > >request.isSecure() returns false (which is probably connected to >getScheme() returning "http"). Ajp12ConnectionHandler.java does not >appear to set a secure flag, or the scheme, so unless code elsewhere is >parsing the request line and headers it appears that getScheme() will >not work in Tomcat 3.1. > > >> Also, are you 100% sure that https was actually used and not dropped >> due to some certificate problems and such? > >I would be very surprised, and worried, if mod_ssl does such things >silently behind the back of both user and server administrator. >Certainly the logs indicate that "SSLv3 RC4-MD5" was used for the >previous POST (which the redirect is being sent in response to). > > > >--=20 >Jason Rumney >AT&T Labs (Redditch, UK) > >