Actually, I'm a big advocate against staying in HTTPS, because of the overhead. However, this is a problem with Tomcat, because in the 4.x and 5.x lines it was decided by someone that if a session started in HTTPS it is only valid in HTTPS (basically, the session cookie is turned into a secure cookie only).
There have been threads on this in the past, where myself and others asked why this behavior was changed in Tomcat 4.x and Tomcat 5.x (there used to be an option as to whether or not the sessions would be secure only if they were started in HTTPS), and the general consensus seemed to be that it was best to do it this way so developers don't make mistakes. In general, with other application servers, if you're switching between HTTP and HTTPS, you just have to make sure that: 1. Any page that requires privacy is in HTTPS 2. That you drop a secure cookie under HTTPS the first time someone logs in, so that that cookie is only returned when they view HTTPS pages. That will protect them from being session hijacked. (They can still be session hijacked using their jsessionid on HTTP pages, but that is always the case. But, noone will be able to view their HTTPS pages using the jsessionid unless they also have that secure cookie.) As it stands, each time a new version of Tomcat comes out, I have to hack away at the connector code to turn off the forced HTTPS session behavior. I haven't felt competent enough to submit a patch to the Tomcat code to try and restore the 3.x option for this, but hopefully I will soon. =P Thanks, -Raiden Johnson On Fri, 15 Oct 2004, David Wall wrote: > I don't know the answer to that. It's unlikely, though. You could put > something like Apache in the front and use URL rewriting, which can > basically force any URL with a given pattern to be redirected, either > forcing HTTP or HTTPS and doing the redirect only when the scheme is not > what you want. > > In general, though, when you know you are shifting between secure and > insecure, you should perhaps create URLs that make this explicit. In > general, you enter a secure mode when starting a secure set of transactions, > and then switch back when you are done. Of course, you could just stay with > HTTPS once they enter secure mode since securing the communications may have > overhead, but it adds privacy. > > David > > > ----- Original Message ----- > From: "Antony Paul" <[EMAIL PROTECTED]> > To: "Tomcat Users List" <[EMAIL PROTECTED]>; "David Wall" > <[EMAIL PROTECTED]> > Sent: Thursday, October 14, 2004 9:42 PM > Subject: Re: How to redirect http to https automatically? > > > > Is it possible to switch from https to http using this kind of > configuration ? > > I tried with NONE for user constraint but it still remains in https. > > > > rgds > > Antony Paul > > > > > > On Thu, 14 Oct 2004 08:40:31 -0700, David Wall <[EMAIL PROTECTED]> > wrote: > > > This is part of the servlet specs. In your WEB-INF/web.xml file, you > need > > > a security constraint that says the site should be secure, something > like: > > > > > > <security-constraint> > > > <web-resource-collection> > > > <web-resource-name>Entire site</web-resource-name> > > > <url-pattern>/*</url-pattern> > > > <http-method>GET</http-method> > > > <http-method>POST</http-method> > > > </web-resource-collection> > > > <user-data-constraint> > > > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > > > </user-data-constraint> > > > </security-constraint> > > > > > > The "confidential" keyword ensures that the webapp will require https, > so if > > > you try to get it via http, then the redirect stuff specifed in your > > > server.xml will be applied. > > > > > > David > > > > > > > > > > > > ----- Original Message ----- > > > From: "Won Sim" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Wednesday, October 13, 2004 8:13 AM > > > Subject: How to redirect http to https automatically? > > > > > > > I set redirectPort attribute to 443, which is my SSL connector port > > > number, > > > > from port 80 connector in the server.xml. This doesn't redirect http > to > > > > https automatically. In other words, I still can access the > application > > > via > > > > http://server/myapp. I want to know how to redirect http to https > > > > automatically so when I enter http://server/myapp, Tomcat redirects to > > > > htts://server/myapp. I am using Tomcat 4.1.30. > > > > > > > > Thanks in advance. > > > > Won. > > > > > > > > _________________________________________________________________ > > > > Don't just search. Find. Check out the new MSN Search! > > > > http://search.msn.click-url.com/go/onm00200636ave/direct/01/ > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
