tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Léa Massiot <lmhe...@orange.fr>
Subject Re: From HTTP to HTTPS request.getHeader("referer")
Date Mon, 03 Nov 2014 18:01:44 GMT
Hi, thank you for your answer.

> On 2014-11-03 4:34 PM, Christopher Schultz wrote:
> Redirects definitely work with HTTPS. You must be doing something
> wrong. Perhaps a configuration mistake with a port number or something
> like that.

My configuration in Tomcat 7.0.55 "server.xml" is:
(
- basically it is the same as the one packaged in the Tomcat distribution, I
only changed the connectors ;
- I removed all the comments and I'm testing on localhost for this config.
)
-----------------------------------------------------------------------------
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
  <Listener className="org.apache.catalina.core.JasperListener" />
  <Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener
className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <GlobalNamingResources>
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

  <Service name="Catalina">
    
    
    

    
    <Connector port="443"
               keystoreFile="where/the/ssl/keystore/is/kstore.txt"
               keystorePass="example"
               SSLEnabled="true"
               acceptCount="100"
               clientAuth="false"
               disableUploadTimeout="true"
               enableLookups="false"
               maxThreads="25"
               protocol="org.apache.coyote.http11.Http11NioProtocol"
               scheme="https"
               secure="true"
               sslProtocol="TLS" />

    <Connector port="80" enableLookups="false" redirectPort="443"/>

    <Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
           

    <Engine name="Catalina" defaultHost="localhost">

      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

        <Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
               prefix="localhost_access_log." suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />

      </Host>
    </Engine>
  </Service>
</Server>
-----------------------------------------------------------------------------

As for the webapp I would like to "HTTPS serve", I only added what follows
to its "web.xml":
-----------------------------------------------------------------------------
  <security-constraint>
    <web-resource-collection>
        <web-resource-name>securedapp</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
-----------------------------------------------------------------------------

Is there something wrong or missing?

> On 2014-11-03 4:34 PM, Christopher Schultz wrote:
> So use redirects. They should work and you should figure out why they
> aren't working. Put your code back the way you had it, take more data,
> and post a new question if you need help.

Ok. Thank you.
I restored the "sendRedirect()" calls I was making at first.
I proceeded like I described in my last post: passing complete URLs to the
"sendRedirect()" methods (ex.
sendRedirect("https://host/webapp/example.jsp");).
As a reminder, before, I used to pass only the JSP page name as an argument
to the sendRedirect() method (ex. sendRedirect("example.jsp");).
It looks like that the webapp is now working nicely.
I noticed your comment about encodeRedirectURL(). Thanks for mentioning it.

> When you use a "forward", you will always end up with the URL the
> client first used as what the client "sees". If you want to accept
> data (e.g. POST) *and* prepare some data for the next screen to be
> seen, consider a POST-then-redirect scheme:
>
> 1. Client POSTs to some URL e.g. /do_example
> 2. /do_example servlet runs and handles the POST data, then
> redirect()s to /prepare_view
> 3. /prepare_view servlet runs and gathers whatever data is appropriate
> for the next display screen and forward()s to /example1.jsp
>
> After all that, the user is looking at the URL /prepare_view instead
> of /do_example. That way, your referrer for the next POST will be
> /prepare_view instead of /do_example.

Thank you. It's interesting.

> What if the user hits the BACK button and looks at a previous page,
> then re-submits that old page? Your server thinks that the source page
> was "example1.jsp" but the client actually posted example0.jsp or
> something else...
>
> Web application workflow management is non-trivial.

Yes, it's tricky.

Best regards. 



--
View this message in context: http://tomcat.10.x6.nabble.com/From-HTTP-to-HTTPS-request-getHeader-referer-tp5024782p5024894.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message