Hi,
Bill Shannon wrote:
> Jeanfrancois Arcand wrote:
>> Hi,
>>
>> I've recently committed support in Grizzly[1] a port unification
>> mechanism that allow the discovery of the TCP request protocol and
>> transport. When enabled, a single port can listen to any TCP requests
>> (clean text or TLS/SSL) and dispatch the request to the targeted
>> Container (HTTP, SOA, etc.). Technically, it means we can open a
>> single TCP port and support multiple protocols (http, https, IIOP,
>> SOAP/TCP, etc.)
>
> Wonderful!
>
>> By default, I've added support for HTTP protocol (clean text and SSL),
>> which means we can support the following use case. If the wrong
>> transport is used, Grizzly will automatically redirect to the proper
>> transport|protocol:
>>
>> admin-listener listening on port 4848 and secure-enabled = false
>>
>> Client request Server port
>>
>> http://...:4848 --> http://....:4848
>> https://...:4848 --> http://....:4848
>
> If the user asks for a secure connection, are we sure we want to give
> him a non-secure connection?
Right now the browser will get a redirect to http. Usually browser
display a window that notify the user it will move from https -> http.
Note that the handshake successfully occurred when the browser gets the
https response:
browser server
----------------------------------------------
https:// --> handshake
find transport|protocol
<-- send a redirect(302) over https
get the https response
http:// -->
That seems like a security risk.
Let me investigate. It can easily be disabled.
Thanks
-- Jeanfrancois
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>
>