Ssl – Tomcat handles http with port 443 and don’t https !

javassltomcat

have a misunderstanding what's going on with Tomcat!

I have my app deployed as ROOT.war on Tomcat.
Have one URL that I want to be reached only via SSL.

Tomcat process this URL good:

http://localhost:443/securedUrl

and don't process this URL:

https: //localhost/securedUrl

Why?

A piece of $CATALINA_HOME/conf/server.xml:

<Connector port="8080" protocol="HTTP/1.1" 
               connectionTimeout="20000" 
               redirectPort="443" />

    <Connector  port="443" 
                maxThreads="150" 
                minSpareThreads="25" 
                maxSpareThreads="75" 
                enableLookups="true" 
                disableUploadTimeout="true"
                acceptCount="100" 
                debug="0" 
                scheme="https" 
                secure="true"
                clientAuth="false" 
                sslProtocol="TLS"
                keystoreFile="/webapps/ROOT/myapp.keystore.bin"
                keystorePass="lalala" />

A piece of $CATALINA_HOME/webapps/ROOT/WEB-INF/web.xml:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>secured_postbacks</web-resource-name>
            <url-pattern>/securedUrl</url-pattern>
        </web-resource-collection>

        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
      </security-constraint>

</web-app>

Best Answer

HTTP can happily run on port 443. HTTPS is not HTTP - it's HTTP over TLS or SSL - and it can happily run on port 80.

They're simply not the same: http://localhost:443/securedUrl and https://localhost/securedUrl do not point to the same resource.

Related Topic