56458 – session.isSecure() returning false when using SSL/TLS

Bug 56458 - session.isSecure() returning false when using SSL/TLS

Summary: session.isSecure() returning false when using SSL/TLS

Status:	RESOLVED FIXED

Alias:	None

Product:	Tomcat 8
Classification:	Unclassified
Component:	WebSocket (show other bugs)
Version:	8.0.5
Hardware:	Macintosh All

Importance:	P2 normal (vote)
Target Milestone:	----
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-04-25 12:37 UTC by burr.clover
Modified:	2014-04-25 15:40 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description burr.clover 2014-04-25 12:37:31 UTC

I have a client Websocket endpoint in Tomcat and I'm trying to secure the Websocket communication. I have my keystore, truststore and password configurations done. I'm pretty sure that the underlying connection is secure because:

1) On the machine running Tomcat, I have enabled SSL debugging with System.setProperty("javax.net.debug", "ssl") and i can see the handshake happening.

2) I have set the server Websocket endpoint (in Jetty) to accept upgrade requests only if the connection is secure. And the request is accepted.

But the method session.isSecure() is always returning false.

While looking at the org.apache.tomcat.websocket.WsWebSocketContainer in the method connectToServer(Endpoint endpoint, ClientEndpointConfig clientEndpointConfiguration, URI path) I have seen that at line 362 a new WsSession is created with the boolean value "false" instead of the private variable "secure". I guess therein lies the problem.

Comment 1 Mark Thomas 2014-04-25 15:40:21 UTC

Thanks for the report and the analysis. Your analysis is spot on. I have fixed this in 8.0.x for 8.0.6 onwards and in 7.0.x for 7.0.54 onwards.