尝试使用 HTTP 访问 Tomcat 6 HTTPS 连接器时出现意外结果
我按照本文配置了 Tomcat 实例: http://tomcat.apache .org/tomcat-6.0-doc/ssl-howto.html。我注释掉了 HTTP 连接器,因为我希望只能通过 HTTPS 访问我的演示应用程序。我这样配置 HTTPS 连接器:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystorePass="nopass"
keystoreFile="/home/someuser/.keystore" keyAlias="tomcat" />
当我使用 HTTPS 访问演示应用程序的 servlet 的 URL 时,一切正常。
当我尝试使用 HTTP URL 访问它时,我预计它会返回 403 或类似的错误。相反,我下载了一些小的(11 字节?)二进制文件,其名称与 servlet 的名称相匹配。
有人遇到过类似的问题吗?你是怎么解决的?我应该检查什么以确保我做的一切都是正确的?
编辑:我尝试使用curl而不是浏览器来连接相同的连接器,并注意到它不返回任何标头。哦,响应的大小是 7 个字节,而不是 11 个字节。
编辑 2:这是我的演示应用程序的 web.xml 中与安全相关的部分:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Servlet</web-resource-name>
<url-pattern>/SecureServlet</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint>
<role-name>connect</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>The role required to connect to the application
</description>
<role-name>connect</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
I configured an instance of Tomcat following this article: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html. I commented out HTTP connector because I want my demo application to be accessible only via HTTPS. I configured HTTPS connector as such:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystorePass="nopass"
keystoreFile="/home/someuser/.keystore" keyAlias="tomcat" />
Everything works fine when I hit the URL of the my demo application's servlet using HTTPS.
When I tried to hit it using HTTP URL, I expected it to return 403 or similar error. Instead I got download of some small (11 bytes?) binary file with the name matching the name of the servlet.
Did anyone experienced similar issue? How did you resolve it? What should I check to make sure I did everything right?
EDIT: I tried hitting the same connector using curl instead of the browser and noticed that it doesn't return any headers. Oh, and the size of the response is 7 bytes, not 11.
EDIT 2: This is the security-related part of the web.xml of my demo application:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Servlet</web-resource-name>
<url-pattern>/SecureServlet</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint>
<role-name>connect</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>The role required to connect to the application
</description>
<role-name>connect</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我通过在
server.xml中注释掉 HTTP 连接器来测试这一点,强制应用程序在 HTTPS 上运行按预期工作
返回 404
注意不正确<协议的混合 和端口返回一小段垃圾流,在 IE 中呈现,在 Firefox 中呈现为二进制,
大小为 7 个字节
您能否重新检查一下您是否看到了第三种情况这在自然情况下不应该发生,但只有在有人篡改 URL 时才会发生?
好的,我使用
CONFIDENTIAL进行了测试,但它仍然没有将 8443 上的 http 重定向到 https。我猜只有当用户在有效的 8080 端口上尝试 http 时才会出现这种情况。使用 Fiddler,我看到返回的标头不存在并且是垃圾响应。
这似乎是标准行为,以这种方式访问应用程序的最终用户将按预期看到垃圾。
如果您确实需要,您可以尝试编写您自己的自定义 Tomcat Valve 其作用类似于过滤器来处理这种特殊情况并重定向用户到 SSL
I have tested this by commenting out the HTTP Connector in
server.xmlforcing the app to work on HTTPSworks as expected
returns a 404
Note the incorrect mix of protocol and port returns a small stream of garbage which is rendered in IE and as binary in Firefox
this is of 7 bytes
Can you recheck if you are seeing the 3rd scenario which should not happen in a natural case but only if someone fiddles with the URL?
Okay, I tested using
CONFIDENTIALbut it still does not redirect the http on 8443 to https. I'm guessing that only comes into picture when the user has tried http on the valid 8080 port.Using Fiddler, I see that the headers coming back are non-existent and the junk response.
This seems to be the standard behaviour, and end-users who access the app in this manner will see junk as expected.
If you really need to, you could try writing your own custom Tomcat Valve which acts like a Filter to take care of this special case and redirect the users to SSL