You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by BugRat Mail System <to...@cortexity.com> on 2000/10/25 19:18:20 UTC

BugRat Report #307 has been filed.

Bug report #307 has just been filed.

You can view the report at the following URL:

   <http://znutar.cortexity.com:8888/BugRatViewer/ShowReport/307>

REPORT #307 Details.

Project: Tomcat
Category: Bug Report
SubCategory: New Bug Report
Class: swbug
State: received
Priority: high
Severity: critical
Confidence: public
Environment: 
   Release: Tomcat 3.2 beta 6
   JVM Release: 1.3
   Operating System: NT
   OS Release: 2000
   Platform: Intel

Synopsis: 
HTTP continues to work (it should not) if using a <transport-guarantee> of CONFIDENTIAL in the web.xml file.

Description:
When a web.xml file reads as follows:

<web-app>
    <security-constraint>
      <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
    </security-constraint>
</web-app>

HTTP should no longer work. Only HTTPS should work when accessing HTML pages or Servlets in that particular WebApp.
This is not the case: HTTP continues to work.

-Alan Bron
PROS Revenue Management
abron@prosrm.com