On 5/31/2012 1:30 PM, Konstantin Kolinko wrote:
> 2012/5/31 Timothy J Schumacher<Tim.Schumacher@colorado.edu>:
>> Hi,
>>
>> We are using Apache Tomcat 6.0.35
>>
>> with
>>
>> # java -version
>> java version "1.6.0_30"
>> Java(TM) SE Runtime Environment (build 1.6.0_30-b12)
>> Java HotSpot(TM) Client VM (build 20.5-b03, mixed mode, sharing)
>>
>> in redhat linux.
>>
>> I am wondering if there is a way to use transport CONFIDENTIAL for all hosts
>> that are not localhost? I am guessing the servlet spec does not allow this,
>> it seems to be all or none in the web.xml config. Perhaps there is a way
>> configure transport NONE in web.xml and then manually configure a
>> valve/filter in context.xml that would enforce CONFIDENTIAL to all remote
>> hosts but let localhost pass without redirects to port 443?
>>
>> Any ideas are appreciated!
>>
> <Connector ... address="127.0.0.1" secure="true" />
>
> It will
> 1. Listen on localhost only.
> 2. Be treated by Tomcat as if it were an HTTPS connection.
Hi Konstantine, thanks this works! I have one more question. I assume
that setting secure="true" means that the cookie JSESSIONID has "Secure"
set. This causes my browser (an old version of FF) to not send the
cookie which I assume is due to the fact that the communication is over
a plain http connection. Since we have not diligently coded encodeURLs
everywhere the application loses the session on occasion. Is there a
way to tell the component that sets the cookie to not set "Secure" only
for this particular connector?
Thanks again!
Tim
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|