tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: From HTTP to HTTPS request.getHeader("referer")
Date Tue, 04 Nov 2014 15:46:56 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Léa,

On 11/4/14 5:46 AM, Léa Massiot wrote:
>> Christopher Schultz wrote: If you want to switch protocols
> 
> I don't think I want that... but maybe I do not understand properly
> what you mean... For the webapp I've been considering in that
> thread, I would like Tomcat to serve pages only via HTTPS. I do not
> want some pages to be served via HTTP and some others to be served 
> via HTTPS. I don't know if it clarifies my point...

If you are already in HTTPS protocol and don't want to switch, then
you shouldn't have to specify the protocol in the redirect.

> Have you had a little time to have a look at the configuration
> files I posted yesterday (complete "server.xml" and excerpt from
> the webapp's "web.xml")?

Yes, they don't really help in any way because they don't describe use
cases. You didn't provide anything like "I want X, I tried Y, and Z
happened" so it's hard to help you out.

> 1) In "web.xml", I set the "CONFIDENTIAL" security constraint
> which, as far as I understood, imposes the use of the HTTPS
> protocol to serve the JSP pages of the webapp.

Yes. Tomcat should therefore handle redirecting the user from HTTP to
HTTPS on the first request.

> 2) Ideally, I would like the webapp users to enter HTTPS URLs in
> their browser URL bar/directly click URLs like
> https://host/webapp/a-page.jsp. But I also would like them to be
> able to enter HTTP URLs like http://host/webapp/a-page.jsp which
> are, to my understanding automatically "transformed" into
> https://host/webapp/a-page.jsp thanks to the "server.xml" 
> configuration line: 
> --------------------------------------------------------------------------------
>
> 
<Connector port="80" enableLookups="false" redirectPort="443"/>
> --------------------------------------------------------------------------------
>
> 
I realize I do not know what happens to the request in that case
> (http://host/webapp/a-page.jsp). Is it encoded or not?

Tomcat should redirect the user to https://host/webapp/a-page.jsp.
Your JSP code will not run in this case until the HTTPS request has
been received.

Look at your access log to file out what's going on when you request
an http:// URL.

>> Terence M.  Bandoian wrote: I'm not sure how you're using it but
>> it's worth pointing out that response.sendRedirect "Sends a
>> temporary redirect response to the client..."  The client
>> (browser) must then send another request to the server before any
>> additional processing takes place.  In contrast, 
>> pageContext.forward takes place entirely on the server.
> 
> I didn't know that. I thought there was one HTTP(S) request and one
> HTTP(S) response only. How can the mechanism you describe above
> affect the use of HTTPS for a webapp with the "CONFIDENTIAL"
> security constraint on a standalone Tomcat server?

Read about what an HTTP residrect does.

> I'm using "sendRedirect()" in a very straightforward way I think.

+1

> I use some sort of "pipelines" for a subset "S" of JSPs in the
> webapp: 1) Given a JSP "s" in "S", it contains a "form" with an
> "action" attribute mapped via "web.xml" to a servlet L. 2) The
> servlet L  implements either a doPost() or (rarely) a doGet()
> method. 3) Given what was submitted via the form, "work" is
> performed in the servlet. 4) When the servlet work is done and
> depending on the result (success 1, ..., success n / error 1, ...,
> error n), the servlet redirects towards the next JSP using the
> method "sendRedirect()".

I would say this is a pretty standard way to do things: the
form-handler should do its job and then *redirect* (not forward) to
another page. Otherwise, re-loading the next page on the client will
re-submit the form, which is rarely what you want to have happen.

> Is there "a temporary redirect response to the client" in that
> case?
> 
> Is this behavior documented somewhere? I could totally benefit from
> a good documentation...

A "temporary redirect" is a term right from the HTTP spec. It means a
302 response code which has a special meaning to clients. Google for
"http status codes" and read about them all. It's good to know these
things.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUWPTvAAoJEBzwKT+lPKRYzBUQAL409gE2n0wI8t3B5JBdvXoB
y6RjmdT2mD4WWVlsqoDmzXP6M3ziVDifsn+oj9bggHGtRaA8RKCXVGvFHrq+WQ4b
j2r8hdGoUkbPBOY68m0F+IFOceTn3UWw84kjySfLtfyqldkvoBoRXBPTKq4aviok
eMMnRmCr6XhwKfMY9lVaqFJQ+XwLViij4bqvu/oAmS71jzruBTVv1ZhYMGhICBcq
10jA9ow0XhyHcEcgwZAFJ0U8xqKdNHYWgvjj83TY6lkih0Gvo/pjEWYMFfJN4aR1
U8feGtKtiy5H7JQwlA3x7vDniqzop8dnyZM83pEtsIUV+GKihXVp+n0glSt2ryPW
c5fUF58JtpRYk/3k/3vvwl4NU+FmcyXLjDl1EgUD8icDGH0lUZH+tYvHZCR02h1/
v8fn+d4WUdpDUtIkJSdEDSCbVhdmTSZdxPcbRby1GwZWr82wWBM3lWEXSSwB7+vq
Cnd895ithqp42vWpIIzs5Won9DdvZ9EgPfBBsEtA7+VGiz+N9wXVQg0TZhvj9JxK
3foXkmGZEZE/xHLs822UqZ9YAiCkbQmfQbZARSppkBBWqhuXdG9opaMvOMwdFJaY
1SutJpFczUqaxDrvq8HSaGKVA9sYxc1phXM3VkvUkvGyXddFQdLkkU2C44NOjSpV
DMQNpgPedI0rQRZSCuoO
=6hs8
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message