2

I am doing some modifications to an existing web application which uses Struts and deploys on Tomcat. I was trying to make my application redirect from HTTP to HTTPS when the user visits one particular page. To do that, I added to my web.xml:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>secured page</web-resource-name>
    <url-pattern>/secured.do</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

and to my server.xml:

<Connector port="8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile=".keystore"
keystorePass="password" />

and it worked. The problem was that once the user is redirected to HTTPS, he doesn't go back to HTTP even when he visits another regular page. My question is, is that behavior normal, and are the configurations mentioned earlier supposed to do that? Or is there something related to the application that is causing this behavior? Thank you

Improve this question

1 Answer 1

Reset to default
2

Yes, that is the normal behaviour on Tomcat.

Once it moves into https, it will not redirect other URLs back into http, unless the URL explicitly is for http.

You could try adding this to the non-secure URL pattern block in web.xml, but this still wont auto-redirect to http after an https.

 <user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>

If you really need to, you would have to write a Filter to check if the URL is not part of the secured pattern, then redirect back to http.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks, that was the solution. I wrote a Filter which sends redirects when it encounters https requests. However I noticed that this won't work for POST requests. Anyways, thanks for the answer.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.