Home/ Questions/Q 6386693
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T03:03:29+00:00

I configured an instance of Tomcat following this article: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html . I commented out

  • 0

I configured an instance of Tomcat following this article: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html. I commented out HTTP connector because I want my demo application to be accessible only via HTTPS. I configured HTTPS connector as such:

   <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" keystorePass="nopass"
           keystoreFile="/home/someuser/.keystore" keyAlias="tomcat" />

Everything works fine when I hit the URL of the my demo application’s servlet using HTTPS.

When I tried to hit it using HTTP URL, I expected it to return 403 or similar error. Instead I got download of some small (11 bytes?) binary file with the name matching the name of the servlet.

Did anyone experienced similar issue? How did you resolve it? What should I check to make sure I did everything right?

EDIT: I tried hitting the same connector using curl instead of the browser and noticed that it doesn’t return any headers. Oh, and the size of the response is 7 bytes, not 11.

EDIT 2: This is the security-related part of the web.xml of my demo application:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Secure Servlet</web-resource-name>
        <url-pattern>/SecureServlet</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
    <auth-constraint>
        <role-name>connect</role-name>
    </auth-constraint>
</security-constraint>

<security-role>
    <description>The role required to connect to the application
    </description>
    <role-name>connect</role-name>
</security-role>

<login-config>
    <auth-method>BASIC</auth-method>
</login-config>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I have tested this by commenting out the HTTP Connector in server.xml forcing the app to work on HTTPS

    https://localhost:8443/testapp

    works as expected

    http://localhost:8080/testapp

    returns a 404

    http://localhost:8443/testapp

    Note the incorrect mix of protocol and port returns a small stream of garbage which is rendered in IE and as binary in Firefox

    this is of 7 bytes

    Can you recheck if you are seeing the 3rd scenario which should not happen in a natural case but only if someone fiddles with the URL?

    Okay, I tested using CONFIDENTIAL but it still does not redirect the http on 8443 to https. I’m guessing that only comes into picture when the user has tried http on the valid 8080 port.

    Using Fiddler, I see that the headers coming back are non-existent and the junk response.

    HTTP/1.1 200 This buggy server did not return headers

    This seems to be the standard behaviour, and end-users who access the app in this manner will see junk as expected.

    If you really need to, you could try writing your own custom Tomcat Valve which acts like a Filter to take care of this special case and redirect the users to SSL

    • 0