tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: from https to http?
Date Thu, 04 Jan 2007 14:09:56 GMT
Hash: SHA1


John Doe wrote:
> Of course that is not a Tomcat's job, but if exists a redirection
> from http to https I wonder why does not exists a reverse way in the
> "declarative security" mechanism provided by the servlet
> specification.

Oh, I understand what you're saying. But I still disagree.

The servlet spec offers a transport guarantee that a particular page
will only be available via HTTPS (by setting the transport to
CONFIDENTIAL, as you have done). This is an upgrade in service.

There is no alternate transport guarantee that states that the request
be made "in cleartext", because that's not actually a guarantee. :)

It looks like what you want is to forbid the use of HTTPS in a selection
of URLs (probably because SSL handshakes are very heavy operations). If
that's the case, you will really have to do this manually (or use some
kind of outside filter; I am ignorant of any such filters or valves).

> But like you point, there are not so many places where a
> programmer must resolve this kind of situations.

Yeah. It turns out that these situations are usually not that big of a
deal to simply do the extra little bit of coding necessary. As others
have pointed out, some JSP tag libraries are useful for detecting the
"correct" protocol to use, as well as forcing a switch from HTTPS to
HTTP. I'm sure similar tools exist for other presentation strategies.

- -chris

Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message