Re: jetty transport-guarantee behavior?
Hi David, On Mon, Jan 30, 2006 at 03:35:52PM -0800, David Jencks wrote: On the other hand I couldn't convince myself that the spec required a redirect. I agree - sending a 403 appears to be spec-compliant. Sending a redirect also appears to meet the spec and is way more user- and developer-friendly, though. At the moment I've got a filter that builds an HTTPS URL and redirects the request but this requires turning the transport guarantee off, so that the filter can do its job. It's a workaround but an auto-redirect from Jetty would be great. Maybe a greg or another jetty expert can explain how it is supposed to work? That would be cool. Thanks, Toby
jetty transport-guarantee behavior?
Hi Folks, I've got an application that I'm running over HTTPS and I'd like to make it so that users can't connect to it over plain old HTTP. I think that the web.xml user-data-constraint/transport-guarantee element is what I'm after but I have a question about its behavior. When I set it to CONFIDENTIAL and make a request over HTTPS then all's well, and when I make the same request over HTTPS I get a 403. I suppose that this is OK, if somewhat user-hostile, but I can probably work around it using a listener or some such. I was poking around in JettyConnector.java, however, and it looks like it's trying to configure a few parameters to make Jetty automatically redirect HTTP requests over to HTTPS, but I'm not getting that behavior. So my question is: how do I enable the auto-redirect behavior? Is there a flag in a plan file that I need to set? Thanks, Toby
Re: jetty transport-guarantee behavior?
On Jan 30, 2006, at 2:11 PM, toby cabot wrote: Hi Folks, I've got an application that I'm running over HTTPS and I'd like to make it so that users can't connect to it over plain old HTTP. I think that the web.xml user-data-constraint/transport-guarantee element is what I'm after but I have a question about its behavior. When I set it to CONFIDENTIAL and make a request over HTTPS then all's well, and when I make the same request over HTTPS I get a 403. I suppose that this is OK, if somewhat user-hostile, but I can probably work around it using a listener or some such. I was poking around in JettyConnector.java, however, and it looks like it's trying to configure a few parameters to make Jetty automatically redirect HTTP requests over to HTTPS, but I'm not getting that behavior. I have experienced this too and didn't find a solution. It looked to me as if it should work, but it didn't. On the other hand I couldn't convince myself that the spec required a redirect. Maybe a greg or another jetty expert can explain how it is supposed to work? thanks david jencks So my question is: how do I enable the auto-redirect behavior? Is there a flag in a plan file that I need to set? Thanks, Toby