[Bug 62067] New: HttpConstraint not applied when Servlet mapped ""

bugzilla Wed, 31 Jan 2018 06:39:50 -0800

https://bz.apache.org/bugzilla/show_bug.cgi?id=62067


            Bug ID: 62067
           Summary: HttpConstraint not applied when Servlet mapped ""
           Product: Tomcat 8
           Version: 8.5.27
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Specification APIs
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ----

Created attachment 35711
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35711&action=edit
Source demonstrating the problem

Overview: 

    When mapping a servlet to the url pattern "", and specifying a security
constraint like TransportGuarantee.CONFIDENTIAL, the constraint is not applied.

Steps to Reproduce: 

    1) Define a servlet and annotate with:
    @WebServlet (name = "Root", urlPatterns = { "" })
    @ServletSecurity(@HttpConstraint(transportGuarantee =
ServletSecurity.TransportGuarantee.CONFIDENTIAL))

    2) Deploy as the ROOT web app on Tomcat configured with a HTTP and a HTTPS
connector

    3) Access the server with, for example: wget http://localhost:8080/

Actual Results:

    The resource is retrieved over HTTP

Expected Results: 

    Tomcat initially responds with a redirect, and the resource is retrieved
over HTTPS

Remarks:

    Access should be denied in case of a configuration error (such
redirectPort=0 on the HTTP connector)

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 62067] New: HttpConstraint not applied when Servlet mapped ""

Reply via email to