tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Timothy J Schumacher <Tim.Schumac...@Colorado.EDU>
Subject Re: transport CONFIDENTIAL based on remote ip/host filter?
Date Mon, 04 Jun 2012 23:11:42 GMT
Comments inline below.

On 6/4/2012 4:18 PM, Konstantin Kolinko wrote:
> 2012/6/5 Timothy J Schumacher<>:
>> We make a piece of IT equipment with tomcat running inside serving an
>> application that acts as the administration console for the device.  There
>> is also a firefox browser running inside the equipment that exposes the web
>> application in question on the front panel touchscreen of the device.  The
>> device also can be plugged into a network to facilitate remote management
>> via the web application.  (...)
> Why do you need transport CONFIDENTIAL in your web.xml?  Do you have
> some pages that are accessed via HTTP and some that are only HTTPS on
> the same Tomcat?  That is when you need HTTP ->  HTTPS redirection when
> user comes to the protected part.
I think you are right, I do not really need that.  I guess I was really 
just using CONFIDENTIAL to automatically do the redirect to the https 
port for me.  If I want to have http on port 80 still open to remote 
users, what is the best way to automatically respond to all requests on 
http port 80 with a redirect to port 443 without using transport 
CONFIDENTIAL in my web.xml?  This is just a convenience to users who 
forget to put https (like me) when they open up a browser and type in a 
url.  Should I implement a servlet filter that responds to all requests 
on port 80 with the redirect?

> If your tomcat serves only administrative console webapp, I think it
> could be a more simple configuration:
> 1) remove transport-guarantee CONFIDENTIAL
> 2) configure HTTPS connector that is accessible from outside
> (either do not specify address - to bind on all of them, or specify
> device's public IP)
> 3) configure HTTP connector with address=""  (no need for
> secure="true")
> This way the HTTP connector binds on the loopback address only and is
> not accessible from outside, regardless of your web.xml.
Yes, this is way better-Thanks!  I guess I wasn't realizing that forcing 
clients to use https implies "transport confidential" without actually 
configuring transport confidential in the web.xml.

> If things are more complicated, you could implement a Filter that does
> the same job as transport-guarantee.  The Connector that the client
> connects to could be distinguished by ServletRequest.getLocalAddr(),
> getLocalPort(), getScheme().
> Best regards,
> Konstantin Kolinko
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message