62067 – HttpConstraint not applied when Servlet mapped ""
Bug 62067 - HttpConstraint not applied when Servlet mapped ""
Summary: HttpConstraint not applied when Servlet mapped ""
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Specification APIs (show other bugs)
Version: 8.5.27
Hardware: PC All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-31 14:39 UTC by Patrick Rosendaal
Modified: 2018-02-06 11:41 UTC (History)
0 users


Attachments
Source demonstrating the problem (1.35 KB, application/x-zip-compressed)
2018-01-31 14:39 UTC, Patrick Rosendaal 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Patrick Rosendaal 2018-01-31 14:39:22 UTC 
Created attachment 35711 [details]
Source demonstrating the problem

Overview: 

    When mapping a servlet to the url pattern "", and specifying a security constraint like TransportGuarantee.CONFIDENTIAL, the constraint is not applied.

Steps to Reproduce: 

    1) Define a servlet and annotate with:
    @WebServlet (name = "Root", urlPatterns = { "" })
    @ServletSecurity(@HttpConstraint(transportGuarantee = ServletSecurity.TransportGuarantee.CONFIDENTIAL))

    2) Deploy as the ROOT web app on Tomcat configured with a HTTP and a HTTPS connector

    3) Access the server with, for example: wget http://localhost:8080/

Actual Results:

    The resource is retrieved over HTTP

Expected Results: 

    Tomcat initially responds with a redirect, and the resource is retrieved over HTTPS

Remarks:

    Access should be denied in case of a configuration error (such redirectPort=0 on the HTTP connector)
Comment 1 Mark Thomas 2018-02-06 11:41:47 UTC 
Fixed in:
- trunk for 9.0.5 onwards
- 8.5.x for 8.5.28 onwards
- 8.0.x for 8.0.50 onwards
- 7.0.x for 7.0.85 onwards