Bug 62067

Summary: HttpConstraint not applied when Servlet mapped ""
Product: Tomcat 8 Reporter: Patrick Rosendaal <p.rosendaal>
Component: Specification APIsAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 8.5.27   
Target Milestone: ----   
Hardware: PC   
OS: All   
Attachments: Source demonstrating the problem

Description Patrick Rosendaal 2018-01-31 14:39:22 UTC
Created attachment 35711 [details]
Source demonstrating the problem

Overview: 

    When mapping a servlet to the url pattern "", and specifying a security constraint like TransportGuarantee.CONFIDENTIAL, the constraint is not applied.

Steps to Reproduce: 

    1) Define a servlet and annotate with:
    @WebServlet (name = "Root", urlPatterns = { "" })
    @ServletSecurity(@HttpConstraint(transportGuarantee = ServletSecurity.TransportGuarantee.CONFIDENTIAL))

    2) Deploy as the ROOT web app on Tomcat configured with a HTTP and a HTTPS connector

    3) Access the server with, for example: wget http://localhost:8080/

Actual Results:

    The resource is retrieved over HTTP

Expected Results: 

    Tomcat initially responds with a redirect, and the resource is retrieved over HTTPS

Remarks:

    Access should be denied in case of a configuration error (such redirectPort=0 on the HTTP connector)
Comment 1 Mark Thomas 2018-02-06 11:41:47 UTC
Fixed in:
- trunk for 9.0.5 onwards
- 8.5.x for 8.5.28 onwards
- 8.0.x for 8.0.50 onwards
- 7.0.x for 7.0.85 onwards