You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/05/02 20:56:30 UTC
DO NOT REPLY [Bug 8752] New: -
HTTPS redirect fails if using welcome-file
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8752>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8752
HTTPS redirect fails if using welcome-file
Summary: HTTPS redirect fails if using welcome-file
Product: Tomcat 4
Version: 4.0.3 Final
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: Other
Component: Unknown
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: bangrazi@aprisma.com
I've found what I think is a bug with Tomcat automatically redirecting requests
through SSL (from 8080 to 8443) if the request is made to a directory rather
than to a specific file.
The setup:
Installed Tomcat 4.0.3 (final) (run with J2SDK 1.3.1_03). To configure SSL, I
created a self-signed certificate, and configured Tomcat (via server.xml) to
use it, by uncommenting the "Define an SSL HTTP/1.1 Connector on port 8443"
element and congifuring appropriately.
I then created a web app whose web.xml's "security-constraint" included
a "transport-guarantee" of CONFIDENTIAL. The web-app consisted of a single JSP
file that said basically "hello, [remote-user]". The web application's
deployment descriptor indicated that this page should be accessed via SSL.
If I point my browser (IE) directly to the JSP file
(http://localhost:8080/ssl/index.jsp"), the redirect happens as I expected
(https://localhost:8443/ssl/index.jsp) and the "lock" shows up in the browser.
If, however, I point my browser at http://localhost:8080/ssl/, and have
a "welcome-file" specification of "/index.jsp", the browser seems to time-out
(give up on the request) waiting for the server to respond. This is what I
think is the bug. I would expect the server to correctly use the welcome-file
when browsing to a path, even when using SSL.
Here is the code of my web app:
ssl/index.jsp:
<html>
<body>
<h1>Hello, <%= request.getRemoteUser( ) %>!</h1>
<p>You should be seeing this via HTTPS.</p>
</body>
</html>
ssl/WEB-INF/web.xml:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<welcome-file-list>
<welcome-file>/index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL Test</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>All roles</description>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<description>force use of SSL</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>SSL Test</realm-name>
</login-config>
</web-app>
build.xml:
<?xml version="1.0"?>
<project name="ssl" default="all" basedir=".">
<property name="app.name" value="ssl"/>
<property name="catalina.home"
value="<path-to-my-catalina-home>" />
<target name="war">
<jar jarfile="${app.name}.war" basedir="war"/>
</target>
<target name="deploy">
<delete dir="${catalina.home}/webapps/${app.name}"/>
<delete file="${catalina.home}/webapps/${app.name}.war"/>
<copy file="${app.name}.war" todir="${catalina.home}/webapps"/>
</target>
<target name="all" depends="war"/>
<target name="clean">
<delete file="${app.name}.war"/>
</target>
</project>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>