tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Disabling http connector
Date Thu, 11 Mar 2010 13:13:14 GMT
Cummins College wrote:
> Hi,
> 
> I know that https by enabling the secure attribute to true. But what if I
> want to "disable" the http connector?
> 
> To elaborate, I want the https connector to be disabled when http runs and
> vice versa. What changes should be done?
> However, not by changing the secure attribute.
> 
> We know most of you dont exactly agree or approve of our idea about fiddling
> with the http connector, but please do help!

It is not that we don't /agree/, it is that we can't really see the 
point, or what you are trying to achieve, or how it could possibly work 
in the practice.

Let me give you an example :

Say users start by getting a "menu" page from your site, using a http link :
http://yoursite.yourcompany.com/welcome.html

Now inside that page which the browser just got from your site, and 
which is now in the browser's memory, there are links to various things 
the users can do on your site.  For example :

<a href="/students/sign-up.html">sign up as a student</a>
<a href="/students/sign-off.html">cancel your acoount</a>
<a href="/info/programs.html">study programs</a>
etc...

So, when the user is going to click on such a link, the /browser/ will 
interpret this in function of the protocol and host which was used to 
get "welcome.html", and for example for the first link, it is going to 
issue a request to :
http://yoursite.yourcompany.com/students/sign-up.html

That means that the browser is going to try to set up a connection with 
the server, using the HTTP protocol, over a non-secure connection.

Now suppose that in the meantime, you have disabled HTTP on port 80, and 
forced it to be HTTPS.
Well then, this request from the client is going to fail, because it is 
still going to try for a HTTP connection, because /that is the meaning 
of the link it has in the page currently loaded in the browser/.
And the Connector on port 80, which is suddenly accepting only HTTPS 
connections, is going to refuse that HTTP connection request.

Changing the connector's protocol is not going to suddenly and magically 
update all the welcome.html pages which have been already loaded by the 
browsers accessing your site, and the links in those pages.
It is also not going to magically update all the pages on your site 
which already have these links in them, even if browsers have not 
received them yet.

If you want a client, at some point, to stop using HTTP and switch to 
HTTPS, then the correct method is not to mysteriously change the nature 
of the protocol "under their nose".
One correct method is to insure that for links which you want to be used 
under HTTPS, your return in your pages the appropriate link, like :
<a href="https://yoursite.yourcompany.com/students/sign-up.html">sign up 
as a student</a>
instead of
<a href="http://yoursite.yourcompany.com/students/sign-up.html">sign up 
as a student</a>

Another correct method is, when the browser requests a page using HTTP, 
to return a "redirect" response to the browser saying :
"for this page, which you wanted as 
"http://yoursite.yourcompany.com/students/sign-up.html", please use this 
address instead :
https://yoursite.yourcompany.com/students/sign-up.html

That is called a "redirect" response, with a HTTP status code 302.
Upon receiving such a response, the browser will, automatically and 
transparently, without even asking the user, make a new request to the 
server, this time for
https://yoursite.yourcompany.com/students/sign-up.html

And on the server side, this new request will be received and processed 
by the HTTPS connector, not the HTTP one.
The HTTP and the HTTPS Connector are both set up in advance, ready to 
received requests on their respective ports and using their respective 
type of TCP/IP connection, and they do not interfere with one another.

If you want to take a Connector which is currently active and using one 
protocol, and change its protocol on the fly, then please state a valid 
reason to do this, that we could understand what you are trying to 
achieve, and which the current HTTP RFC and associated webservers cannot 
do in some standard way.


Note that in the above, I am simplifying the problem which would happen, 
because switching from HTTP to HTTPS is not just a matter of having a 
browser being refused a connection.  It would also cause any existing 
live connection between browsers and the server to be aborted, for 
reasons that would appear mysterious to anyone watching the logfiles or 
the traffic for instance.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message