tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave <>
Subject Re: how to auto redirect to https from http
Date Thu, 07 Feb 2008 16:01:52 GMT
Hi Chris,
  I moved the <user-data-constraint> inside the <web-resource-collection> as the
                        <web-resource-name>Automatic SLL Forwarding</web-resource-name>

  But  did not redirect to secure URL.
  As you mentioned, If I start as http, then redirect to https when login,  and keep https
after login. Does that mean https is using the http session? Is there any security hole? If
a man-in-the-middle knows the session id from http and the same session id is used by https?
  Thanks for help.

Christopher Schultz <> wrote:
Hash: SHA1


Dave wrote:
| I tried the method, it worked.
| But when I tried to protect login page only,
| protected
| /login.jsp
| restarted tomcat, and went to
| it was redirected to secure URL. It should stay insecure until going
to login page.
| anything I was missing?

Is that your entire configuration? If you've
told Tomcat that /* should be CONFIDENTIAL, then all traffic will be
redirected to HTTPS.

Move the CONFIDENTIAL part into the that
represents your login page, and leave the rest of the app non-CONFIDENTIAL.

Remember that Tomcat will not automatically go from HTTPS to HTTP, so
you'll have to make that happen yourself. Also remember that if your
session id cookie was created in HTTPS mode, your browser will not send
it back to the server when you're in HTTP mode.

- -chris
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

Looking for last minute shopping deals?  Find them fast with Yahoo! Search.
  • Unnamed multipart/alternative (inline, 8-Bit, 0 bytes)
View raw message