Cummins College wrote:
Hi,
I know that https by enabling the secure attribute to true. But what if I
want to "disable" the http connector?
To elaborate, I want the https connector to be disabled when http runs and
vice versa. What changes should be done?
However, not by changing the secure attribute.
We know most of you dont exactly agree or approve of our idea about fiddling
with the http connector, but please do help!
It is not that we don't /agree/, it is that we can't really see the
point, or what you are trying to achieve, or how it could possibly work
in the practice.
Let me give you an example :
Say users start by getting a "menu" page from your site, using a http link :
http://yoursite.yourcompany.com/welcome.html
Now inside that page which the browser just got from your site, and
which is now in the browser's memory, there are links to various things
the users can do on your site. For example :
<a href="/students/sign-up.html">sign up as a student</a>
<a href="/students/sign-off.html">cancel your acoount</a>
<a href="/info/programs.html">study programs</a>
etc...
So, when the user is going to click on such a link, the /browser/ will
interpret this in function of the protocol and host which was used to
get "welcome.html", and for example for the first link, it is going to
issue a request to :
http://yoursite.yourcompany.com/students/sign-up.html
That means that the browser is going to try to set up a connection with
the server, using the HTTP protocol, over a non-secure connection.
Now suppose that in the meantime, you have disabled HTTP on port 80, and
forced it to be HTTPS.
Well then, this request from the client is going to fail, because it is
still going to try for a HTTP connection, because /that is the meaning
of the link it has in the page currently loaded in the browser/.
And the Connector on port 80, which is suddenly accepting only HTTPS
connections, is going to refuse that HTTP connection request.
Changing the connector's protocol is not going to suddenly and magically
update all the welcome.html pages which have been already loaded by the
browsers accessing your site, and the links in those pages.
It is also not going to magically update all the pages on your site
which already have these links in them, even if browsers have not
received them yet.
If you want a client, at some point, to stop using HTTP and switch to
HTTPS, then the correct method is not to mysteriously change the nature
of the protocol "under their nose".
One correct method is to insure that for links which you want to be used
under HTTPS, your return in your pages the appropriate link, like :
<a href="https://yoursite.yourcompany.com/students/sign-up.html";>sign up
as a student</a>
instead of
<a href="http://yoursite.yourcompany.com/students/sign-up.html";>sign up
as a student</a>
Another correct method is, when the browser requests a page using HTTP,
to return a "redirect" response to the browser saying :
"for this page, which you wanted as
"http://yoursite.yourcompany.com/students/sign-up.html";, please use this
address instead :
https://yoursite.yourcompany.com/students/sign-up.html
That is called a "redirect" response, with a HTTP status code 302.
Upon receiving such a response, the browser will, automatically and
transparently, without even asking the user, make a new request to the
server, this time for
https://yoursite.yourcompany.com/students/sign-up.html
And on the server side, this new request will be received and processed
by the HTTPS connector, not the HTTP one.
The HTTP and the HTTPS Connector are both set up in advance, ready to
received requests on their respective ports and using their respective
type of TCP/IP connection, and they do not interfere with one another.
If you want to take a Connector which is currently active and using one
protocol, and change its protocol on the fly, then please state a valid
reason to do this, that we could understand what you are trying to
achieve, and which the current HTTP RFC and associated webservers cannot
do in some standard way.
Note that in the above, I am simplifying the problem which would happen,
because switching from HTTP to HTTPS is not just a matter of having a
browser being refused a connection. It would also cause any existing
live connection between browsers and the server to be aborted, for
reasons that would appear mysterious to anyone watching the logfiles or
the traffic for instance.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
