Bug 62067 - HttpConstraint not applied when Servlet mapped ""
Summary: HttpConstraint not applied when Servlet mapped ""
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Specification APIs (show other bugs)
Version: 8.5.27
Hardware: PC All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2018-01-31 14:39 UTC by Patrick Rosendaal
Modified: 2018-02-06 11:41 UTC (History)
0 users

Source demonstrating the problem (1.35 KB, application/x-zip-compressed)
2018-01-31 14:39 UTC, Patrick Rosendaal

Note You need to log in before you can comment on or make changes to this bug.
Description Patrick Rosendaal 2018-01-31 14:39:22 UTC
Created attachment 35711 [details]
Source demonstrating the problem


    When mapping a servlet to the url pattern "", and specifying a security constraint like TransportGuarantee.CONFIDENTIAL, the constraint is not applied.

Steps to Reproduce: 

    1) Define a servlet and annotate with:
    @WebServlet (name = "Root", urlPatterns = { "" })
    @ServletSecurity(@HttpConstraint(transportGuarantee = ServletSecurity.TransportGuarantee.CONFIDENTIAL))

    2) Deploy as the ROOT web app on Tomcat configured with a HTTP and a HTTPS connector

    3) Access the server with, for example: wget http://localhost:8080/

Actual Results:

    The resource is retrieved over HTTP

Expected Results: 

    Tomcat initially responds with a redirect, and the resource is retrieved over HTTPS


    Access should be denied in case of a configuration error (such redirectPort=0 on the HTTP connector)
Comment 1 Mark Thomas 2018-02-06 11:41:47 UTC
Fixed in:
- trunk for 9.0.5 onwards
- 8.5.x for 8.5.28 onwards
- 8.0.x for 8.0.50 onwards
- 7.0.x for 7.0.85 onwards