Bug 59399 - Tomcat doesn't support setting the response code for http -> https redirect
Summary: Tomcat doesn't support setting the response code for http -> https redirect
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 7.0.42
Hardware: PC Linux
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-04-30 15:37 UTC by Duncan Lyall
Modified: 2016-06-15 11:12 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Duncan Lyall 2016-04-30 15:37:51 UTC
Product: apache-tomcat-7.0.42
Version: 7-0.42
Component: Connector (guess)
Platform: x86_64
OS: Ubuntu Linux 12.04.2 LTS and CentOS Linux release 7.2.1511
Severity: enhancement
Java: jdk1.8.0_77

Tomcat 7.0.42 used as standalone web server port 80
configured with 

<transport-guarantee>CONFIDENTIAL</transport-guarantee> in web.xml

and 

<Connector port="80" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="443" />

<Connector port="443" maxThreads="150" scheme="https" secure="true"
           SSLEnabled="true" keystoreFile="/opt/keys/tomcat.keystore" 
           keystorePass="?" clientAuth="false" keyAlias="tomcat" sslProtocol="TLS" />   

in server.xml

# curl -D /tmp/headers.txt -s http://localhost
# cat headers.txt

HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
...
It doesn't seem to be possible to configure the response code for the http -> https redirect. 

Discussions with Google webmasters reveal that Google require a 301 moved permanently response to the http -> https redirect. This is key to maintaining existing rankings

Unfortunately Tomcat returns 302 temporary redirect when performing the redirection.

Implementing site wide https is also crucial to maintaining rankings unfortunately the benefits of doing this are largley negated by the inability to return the required status code.The only option is to undeploy https thereby once again harming rankings. 

A good Google ranking is the difference between making a profit and making a loss. Much as I don't like it, that's the way it is unfortunately.
Comment 1 Mark Thomas 2016-06-15 11:12:11 UTC
This has been implemented as a new option in the Realm and will has implemented in:
- 9.0.x for 9.0.0.M9 onwards
- 8.5.x for 8.5.4 onwards
- 8.0.x for 8.0.37 onwards
- 7.0.x for 7.0.70 onwards