I have a client Websocket endpoint in Tomcat and I'm trying to secure the Websocket communication. I have my keystore, truststore and password configurations done. I'm pretty sure that the underlying connection is secure because: 1) On the machine running Tomcat, I have enabled SSL debugging with System.setProperty("javax.net.debug", "ssl") and i can see the handshake happening. 2) I have set the server Websocket endpoint (in Jetty) to accept upgrade requests only if the connection is secure. And the request is accepted. But the method session.isSecure() is always returning false. While looking at the org.apache.tomcat.websocket.WsWebSocketContainer in the method connectToServer(Endpoint endpoint, ClientEndpointConfig clientEndpointConfiguration, URI path) I have seen that at line 362 a new WsSession is created with the boolean value "false" instead of the private variable "secure". I guess therein lies the problem.
Thanks for the report and the analysis. Your analysis is spot on. I have fixed this in 8.0.x for 8.0.6 onwards and in 7.0.x for 7.0.54 onwards.