My goal is to have my Tomcat 8.5 application serve pages soley through https. In my ApplicationInitializer, I have this block of code:
ServletRegistration.Dynamic dispatcher = container.addServlet("dispatcher", new DispatcherServlet(rootContext)); dispatcher.setLoadOnStartup(1); dispatcher.addMapping("/"); if (Environment.PRODUCTION.getValue().equals(EnvironmentUtil.getEnvironmentName())) { //checked that the flow of control reaches here. yes, I know it should be using spring profiles instead HttpConstraintElement forceHttpsConstraint = new HttpConstraintElement(TransportGuarantee.CONFIDENTIAL); ServletSecurityElement securityElement = new ServletSecurityElement(forceHttpsConstraint); dispatcher.setServletSecurity(securityElement); } However, now I can't get the same effect unless I specifically add this to the web.xml:
<security-constraint> <web-resource-collection> <web-resource-name>Automatic Forward to HTTPS/SSL </web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> Are these two blocks equivalent? If so, why would the latter work and not the former?
I am trying to figure out why this would be the case. We recently switched from Tomcat 8 to Tomcat 8.5, so wondering whether that would be the issue. We also upgraded from Spring 4.3.11 to 4.3.14, but I don't know whether that would cause it either.
0 comments:
Post a Comment