Tomcat：从HTTP重定向到HTTPS的问题 [英] Tomcat: Issue with redirecting from HTTP to HTTPS

问题描述

我正在对使用Struts并在Tomcat上部署的现有Web应用程序进行一些修改。当用户访问某个特定页面时，我试图让我的应用程序从HTTP重定向到HTTPS。为此，我添加到我的web.xml：

I am doing some modifications to an existing web application which uses Struts and deploys on Tomcat. I was trying to make my application redirect from HTTP to HTTPS when the user visits one particular page. To do that, I added to my web.xml:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>secured page</web-resource-name>
    <url-pattern>/secured.do</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

和我的server.xml：

and to my server.xml:

<Connector port="8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile=".keystore"
keystorePass="password" />

并且有效。问题是，一旦用户被重定向到HTTPS，即使他访问另一个常规页面，他也不会返回HTTP。我的问题是，这种行为是正常的，并且前面提到的配置应该这样做吗？或者是否有与应用程序相关的导致此行为的内容？谢谢

and it worked. The problem was that once the user is redirected to HTTPS, he doesn't go back to HTTP even when he visits another regular page. My question is, is that behavior normal, and are the configurations mentioned earlier supposed to do that? Or is there something related to the application that is causing this behavior? Thank you

推荐答案

是的，这是Tomcat上的正常行为。

Yes, that is the normal behaviour on Tomcat.

一旦进入https，它就不会将其他URL重定向回http，除非该URL明确用于http。

Once it moves into https, it will not redirect other URLs back into http, unless the URL explicitly is for http.

您可以尝试将此添加到 web.xml 中的非安全URL模式块，但这仍然不会在https后自动重定向到http。

You could try adding this to the non-secure URL pattern block in web.xml, but this still wont auto-redirect to http after an https.

 <user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>

如果你真的需要，你必须写一个 过滤器 检查URL是否不是安全模式的一部分，然后重定向回http。

If you really need to, you would have to write a Filter to check if the URL is not part of the secured pattern, then redirect back to http.

这篇关于Tomcat：从HTTP重定向到HTTPS的问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！