Reputation: 349
Tomcat https POST data
I'm creating a web application with Spring MVC, to run in Tomcat 7. I have a POST request on a login page, to /account/login, which I want to send over https.
In my web.xml I have:
<security-constraint>
<web-resource-collection>
<web-resource-name>Login</web-resource-name>
<url-pattern>/account/login</url-pattern>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Login-Error</web-resource-name>
<url-pattern>/account/login-error</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
And in the tomcat server.xml I have a https connector:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" maxThreads="150" scheme="https"
secure="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="/path/to/my.cert" keystorePass="password" />
When I hit the login page the protocol is always https, and the login procedure itself works fine.
However, when I use the firefox plugin "tamper data" to inspect the POST request, the username and password are in plain text. I was expecting them to be encrypted - have I missed something?
Upvotes: 0
Views: 254
Answers (1)
Reputation: 7238
I am not sure about this but SSL works on the network layer so, the data flowing from the application layer to ssl layer is unencrypted and packets are encrypted after that. Which could be the reason why you are able to see the data in plain text.
Upvotes: 1
Related Questions
- POST to a HTTPS service
- How spring use https for request automatically?
- Send http form post attributes via https
- Spring web and tomcat with https
- sending https post request with post data using spring web
- Tomcat SSL POST request redirection
- jsp HTTPS Post Request
- Apache WebServer + Tomcat + Spring + Https
- HTTPS POST in Java
- Spring MVC Redirect to HTTPs site after successful post form