Both using mod_jk and standalone, the SessionServlet example (for instance) fails to track session with cookies disabled when accessed through https://, while it works when accessed through http:// Example urls: http://anytomcat:8080/examples/servlet/SessionServlet works https://anytomcat:8443/examples/servlet/SessionServlet fails with https it creates a new session for each request.
The problem is caused because the java.net.URL constructor does not know anything about HTTPS protocol by default. The JSSE 1.0.2 reference implementation contains an implementation of an HTTPS URLStreamHandler. To make this handler available the handler's package must be added to the list of packages which are searched by the Java URL class. The is configured via the java.protocol.handler.pkgs system property. To make this package available to Tomcat you can add -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol to the TOMCAT_OPTS environment variable (if your using tomcat.bat or tomcat.sh) or edit wrapper.properties if your using the NT service. I'm going to leave the bug open because later Tomcat versions might be able to add the ability to configure this system property via server.xml. It won't happen in 3.2.2, but maybe 3.3 or 4.0 could look into this.
Thanks for your effort. I have checked the workaround and it works, only if you apply the following patch (as current code only accepts http/80 as default ports, while https/443 should be also accepted. Without the patch it works on non-default ports, but still not when used through mod_jk or in 443. Regards, Santiago Gala Index: src/share/org/apache/tomcat/facade/HttpServletResponseFacade.java =================================================================== RCS file: /home/cvspublic/jakarta-tomcat/src/share/org/apache/tomcat/facade/Attic/HttpServletResponseFacade.java,v retrieving revision 1.6.2.3 diff -u -r1.6.2.3 HttpServletResponseFacade.java --- src/share/org/apache/tomcat/facade/HttpServletResponseFacade.java 2001/03/06 17:38:13 1.6.2.3 +++ src/share/org/apache/tomcat/facade/HttpServletResponseFacade.java 2001/03/20 13:29:41 @@ -353,10 +353,14 @@ return (false); if (!request.getServerName().equalsIgnoreCase(url.getHost())) return (false); - // Set the URL port to HTTP default if not available before comparing + // Set the URL port to protocol default if not available before comparing int urlPort = url.getPort(); if (urlPort == -1) { - urlPort = 80; + if("http".equalsIgnoreCase(url.getProtocol())) { + urlPort = 80; + } else if ("https".equalsIgnoreCase(url.getProtocol())) { + urlPort = 443; + } } if (request.getServerPort() != urlPort) return (false);
*** Bug 269 has been marked as a duplicate of this bug. ***
I commited the change to HttpServletResponseFacade.isEncodable() to set the default port for both secure and insecure requests. Note that the commited code is slightly different then the patch included here. The fix has been committed to 3.2.2, but has not 3.3.
Reopen to change resolution
This fix as been applied to Tomcat 3.3