There are a lot of manuals how to enable auto redirect from HTTP to HTTPS. But I need to disable such redirect (according to this advice SSL everywhere - all the time ). I use Tomcat 7.x and I need to implement next things: All resources are protected (via config in web.xml) [ done ] <security-constraint> <web-resource-collection> <web-resource-name>Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> When somebody makes a request via HTTP - an error is returned (HTTP status 403 I guess) and there is no any redirect I tried to remove redirectPort in server.xml already, <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000"/> <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> but it lead to a redirect to 443 port only (but I expected disabled redirect). So my question is: how to disable auto redirect from HTTP to HTTPS and return the error?

Reputation: 909

How to disable auto redirect from HTTP to HTTPS on Tomcat

There are a lot of manuals how to enable auto redirect from HTTP to HTTPS. But I need to disable such redirect (according to this advice SSL everywhere - all the time). I use Tomcat 7.x and I need to implement next things:

All resources are protected (via config in web.xml) [done]

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Application</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

When somebody makes a request via HTTP - an error is returned (HTTP status 403 I guess) and there is no any redirect

I tried to remove redirectPort in server.xml already,

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000"/>
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />

but it lead to a redirect to 443 port only (but I expected disabled redirect).

So my question is: how to disable auto redirect from HTTP to HTTPS and return the error?

Upvotes: 7

Answers (3)

Artem

Reputation: 98

Take a look at the documentation:

redirectPort – If this Connector is supporting non-SSL requests, and a request is received for which a matching requires SSL transport, Catalina will automatically redirect the request to the port number specified here.

The redirectPort indicates only the port, but does not allow / disallow redirect, and if it is not specified, Catalina will redirect to the default https port (i.e. 443).

So check your web.xml files (WEB-INF/web.xml and CATALINA_HOME/conf/web.xml), at the end you may see security-constraint with <web-resource-name>HTTPSOnly</web-resource-name> or <transport-guarantee>CONFIDENTIAL</transport-guarantee>. Edit the HTTPSOnly to HTTPSOrHTTP and the CONFIDENTIAL to NONE.

Upvotes: 6

zakyalvan

Reputation: 50

on spring boot's embeded tomcat, set redirect port to 0 wont auto redirect, in my case

Upvotes: -3

AlexeyyRU

Reputation: 49

Comment out block in conf/web.xml. Doing that, redirectPort will be ignored.

Upvotes: 4

How to disable auto redirect from HTTP to HTTPS on Tomcat

Answers (3)

Related Questions