https://bz.apache.org/bugzilla/show_bug.cgi?id=62067
Bug ID: 62067
Summary: HttpConstraint not applied when Servlet mapped ""
Product: Tomcat 8
Version: 8.5.27
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Specification APIs
Assignee: dev@tomcat.apache.org
Reporter: p.rosend...@aenova.nl
Target Milestone: ----
Created attachment 35711
--> https://bz.apache.org/bugzilla/attachment.cgi?id=35711&action=edit
Source demonstrating the problem
Overview:
When mapping a servlet to the url pattern "", and specifying a security
constraint like TransportGuarantee.CONFIDENTIAL, the constraint is not applied.
Steps to Reproduce:
1) Define a servlet and annotate with:
@WebServlet (name = "Root", urlPatterns = { "" })
@ServletSecurity(@HttpConstraint(transportGuarantee =
ServletSecurity.TransportGuarantee.CONFIDENTIAL))
2) Deploy as the ROOT web app on Tomcat configured with a HTTP and a HTTPS
connector
3) Access the server with, for example: wget http://localhost:8080/
Actual Results:
The resource is retrieved over HTTP
Expected Results:
Tomcat initially responds with a redirect, and the resource is retrieved
over HTTPS
Remarks:
Access should be denied in case of a configuration error (such
redirectPort=0 on the HTTP connector)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
