tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Timothy J Schumacher <Tim.Schumac...@Colorado.EDU>
Subject Re: transport CONFIDENTIAL based on remote ip/host filter?
Date Mon, 04 Jun 2012 17:36:47 GMT
On 5/31/2012 1:30 PM, Konstantin Kolinko wrote:
> 2012/5/31 Timothy J Schumacher<>:
>> Hi,
>> We are using Apache Tomcat 6.0.35
>> with
>> # java -version
>> java version "1.6.0_30"
>> Java(TM) SE Runtime Environment (build 1.6.0_30-b12)
>> Java HotSpot(TM) Client VM (build 20.5-b03, mixed mode, sharing)
>> in redhat linux.
>> I am wondering if there is a way to use transport CONFIDENTIAL for all hosts
>> that are not localhost?  I am guessing the servlet spec does not allow this,
>> it seems to be all or none in the web.xml config.  Perhaps there is a way
>> configure transport NONE in web.xml and then manually configure a
>> valve/filter in context.xml that would enforce CONFIDENTIAL to all remote
>> hosts but let localhost pass without redirects to port 443?
>> Any ideas are appreciated!
> <Connector ... address="" secure="true" />
> It will
> 1. Listen on localhost only.
> 2. Be treated by Tomcat as if it were an HTTPS connection.

Hi Konstantine, thanks this works!  I have one more question.  I assume 
that setting secure="true" means that the cookie JSESSIONID has "Secure" 
set.  This causes my browser (an old version of FF) to not send the 
cookie which I assume is due to the fact that the communication is over 
a plain http connection.  Since we have not diligently coded encodeURLs 
everywhere the application loses the session on occasion.  Is there a 
way to tell the component that sets the cookie to not set "Secure" only 
for this particular connector?

Thanks again!

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message