> -----Original Message----- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Tuesday, June 23, 2015 3:18 PM > To: Tomcat Users List > Subject: Re: Settings when SSL terminates on the front-end > > On 17/06/2015 19:08, Jeffrey Janner wrote: > > I've been deploying letting Tomcat do it all when it came to > connectors > > and SSL, with the app forcing everything to SSL in the > > <security-constraints> section. Now I'm setting up a haproxy front- > end > > that will both terminate the SSL and take care of the redirect from > HTTP > > to HTTPS for me and tomcat only running a standard HTTP port on 8080. > > > > So my question is, Is it still important for the app to know that it > > operating "secure", and if so, what settings are a must? > > Yes it is extremely important. > > You need secure="true" for everything received over HTTPS and > secure="false" for everything received over HTTP. > > It is simpler in your case since Tomcat only ever sees traffic that has > been received over HTTPS. > > There are several ways to ensure secure="true" > > In your case, setting on the connector is the simplest and best option. > > If proxying over AJP, the AJP connector takes care of it. > > The RemoteIP[Valve|Filter] or the SSLValve can handle this if proxying > over HTTP. > > > There are several reasons it is important (the first reason is the big > one): > > 1. cookies created over secure connections will have the secure flag set > which will ensure that browsers never send the cookie over HTTP. I once > watched a customer go very white while I was explaining this when they > realised that their banking app was sending authentication cookies over > HTTP connections. > > 2. The user data constraint in web.xml will only be satisfied if > secure="true" > > HTH, > > Mark
Thanks for the confirmation Mark. That is what I thought I'd gleaned from previous posts. I will be sure to mark the http connection secure="true" in my Tomcat instances. I gather from #2 above, that having the secure setting on the http port, it won't really matter if the <security-constraints> exists in the web.xml or not, because Tomcat will assume it is already secure. Ergo, I don't have to get the developers to remove it. That is fine with me. Thanks again. Jeff --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
