Bug 56458 - session.isSecure() returning false when using SSL/TLS
Summary: session.isSecure() returning false when using SSL/TLS
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: WebSocket (show other bugs)
Version: 8.0.5
Hardware: Macintosh All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-25 12:37 UTC by burr.clover
Modified: 2014-04-25 15:40 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description burr.clover 2014-04-25 12:37:31 UTC
I have a client Websocket endpoint in Tomcat and I'm trying to secure the Websocket communication. I have my keystore, truststore and password configurations done. I'm pretty sure that the underlying connection is secure because:

1) On the machine running Tomcat, I have enabled SSL debugging with System.setProperty("javax.net.debug", "ssl") and i can see the handshake happening.

2) I have set the server Websocket endpoint (in Jetty) to accept upgrade requests only if the connection is secure. And the request is accepted.

But the method session.isSecure() is always returning false.

While looking at the org.apache.tomcat.websocket.WsWebSocketContainer in the method connectToServer(Endpoint endpoint, ClientEndpointConfig clientEndpointConfiguration, URI path) I have seen that at line 362 a new WsSession is created with the boolean value "false" instead of the private variable "secure". I guess therein lies the problem.
Comment 1 Mark Thomas 2014-04-25 15:40:21 UTC
Thanks for the report and the analysis. Your analysis is spot on. I have fixed this in 8.0.x for 8.0.6 onwards and in 7.0.x for 7.0.54 onwards.