tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Léa Massiot <lmhe...@orange.fr>
Subject Re: From HTTP to HTTPS request.getHeader("referer")
Date Tue, 04 Nov 2014 10:46:50 GMT
Hi,

> Christopher Schultz wrote:
> If you want to switch protocols

I don't think I want that... but maybe I do not understand properly what you
mean...
For the webapp I've been considering in that thread, I would like Tomcat to
serve pages only via HTTPS.
I do not want some pages to be served via HTTP and some others to be served
via HTTPS.
I don't know if it clarifies my point...

Have you had a little time to have a look at the configuration files I
posted yesterday (complete "server.xml" and excerpt from the webapp's
"web.xml")?

1) In "web.xml", I set the "CONFIDENTIAL" security constraint which, as far
as I understood, imposes the use of the HTTPS protocol to serve the JSP
pages of the webapp.

2) Ideally, I would like the webapp users to enter HTTPS URLs in their
browser URL bar/directly click URLs like https://host/webapp/a-page.jsp.
But I also would like them to be able to enter HTTP URLs like
http://host/webapp/a-page.jsp which are, to my understanding automatically
"transformed" into https://host/webapp/a-page.jsp thanks to the "server.xml"
configuration line:
--------------------------------------------------------------------------------
<Connector port="80" enableLookups="false" redirectPort="443"/>
--------------------------------------------------------------------------------
I realize I do not know what happens to the request in that case
(http://host/webapp/a-page.jsp). Is it encoded or not?

> Terence M.  Bandoian wrote:
> I'm not sure how you're using it but it's worth pointing out that
> response.sendRedirect "Sends a temporary redirect response to the
> client..."  The client (browser) must then send another request to the
> server before any additional processing takes place.  In contrast,
> pageContext.forward takes place entirely on the server. 

I didn't know that.
I thought there was one HTTP(S) request and one HTTP(S) response only.
How can the mechanism you describe above affect the use of HTTPS for a
webapp with the "CONFIDENTIAL" security constraint on a standalone Tomcat
server?

I'm using "sendRedirect()" in a very straightforward way I think.
I use some sort of "pipelines" for a subset "S" of JSPs in the webapp:
1) Given a JSP "s" in "S", it contains a "form" with an "action" attribute
mapped via "web.xml" to a servlet L.
2) The servlet L  implements either a doPost() or (rarely) a doGet() method.
3) Given what was submitted via the form, "work" is performed in the
servlet.
4) When the servlet work is done and depending on the result (success 1,
..., success n / error 1, ..., error n), the servlet redirects towards the
next JSP using the method "sendRedirect()".
Is there "a temporary redirect response to the client" in that case?
Is this behavior documented somewhere? I could totally benefit from a good
documentation...

Best regards.



--
View this message in context: http://tomcat.10.x6.nabble.com/From-HTTP-to-HTTPS-request-getHeader-referer-tp5024782p5024951.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message