HTTP to HTTPS redirection issue with Tomcat 8

Question

I am trying to setup HTTP to HTTPS redirection in Tomcat 8. The below is the configuration- web.xml

<security-constraint>
    <web-resource-collection>
    <web-resource-name>securedapp</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint />
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

server.xml

<Connector executor="tomcatThreadPool"
           port="50915"
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxHttpHeaderSize="99999"
           server=" Web"
           keepAliveTimeout="90000"
           maxKeepAliveRequests="-1"
           acceptorThreadCount="40"
           allowTrace="true"
           redirectPort="50921" />
<Connector executor="tomcatThreadPool"
           port="50921"
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxHttpHeaderSize="99999"
           SSLEnabled="true"
           maxThreads="150"
           scheme="https"
           secure="true"
           server="Web"
           keepAliveTimeout="90000"
           maxKeepAliveRequests="-1"
           acceptorThreadCount="40"
           allowTrace="true"
           keystoreFile="/web/home/wb10d1/.keystore"
           keystorePass="changeit"/>

Update#1 I am able to access via http and http at the ports configured without any problem:

http://hostname:50915/webapp
https://hostname:50921/webapp

But when I try to access as below https://hostname:50915/webapp

I expect that Tomcat should redirect it from non-SSL connector configured for port# 50915 to SSL connector configured for port#50921, but it does not seem to be working. The only error I see is the one below.

catalina.out

[#|INFO|2016-03-05 00:14:55.524+1000|1|org.apache.coyote.AbstractProtocol.start|Starting ProtocolHandler ["http-nio-50915"]|#]
[#|INFO|2016-03-05 00:14:55.536+1000|1|org.apache.coyote.AbstractProtocol.start|Starting ProtocolHandler ["http-nio-50921"]|#]
[#|INFO|2016-03-05 00:14:55.541+1000|1|org.apache.catalina.startup.Catalina.start|Server startup in 6831 ms|#]
[#|INFO|2016-03-05 00:15:33.254+1000|120|org.apache.coyote.http11.AbstractHttp11Processor.process|Error parsing HTTP request header
 Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.|#]

I have passed "-Djava.net.debug=all" to java, but that does not give anything more than above error. From the above error it is quite clear why the header was not being parsed. Is there a way to get a deeper level of debug output to aid nailing down the issue?

I have seen other similar questions like this and this . However, these do not seem to work for me.

Answer 1

(Sorry for delay; initially I missed the link request.)

The redirect is working. 50915 is the HTTP port and 50921 HTTPS on this Tomcat. When you browse http://host:50915/xyz where xyz matches the security-constraint (and here any xyz should) Tomcat returns a redirect telling your browser/etc to use https://host:50921/xyz instead, and it does so automatically; you don't actually see anything different.

You can't do HTTP on an HTTPS port, or vice versa; that's why the HTTP and HTTPS connectors have different ports in the first place. If you try to do HTTPS on port 50915, the initial SSL handshake message (ClientHello) is treated by Tomcat as a plaintext HTTP request, and (of course) it is a totally invalid HTTP request, hence Error parsing HTTP request header. If you try to do HTTP on 50921, the Java SSL code tries to process the HTTP request as a ClientHello which doesn't work at all so it throws an exception, and actually says "possible plaintext" in the exception message; I don't recall (and can't at the moment test) how this looks in Tomcat log.