0

I have multiple tomcat servers with independent configurations running in the same server at different ports. Recently converted few tomcat servers from http to https. So the strange problem is:

Application 1: running at https://x.y.z.w:10001 (https) Application 2: running at http://x.y.z.w:8888 (http)

If I access Application 2 from my browser (chrome/firefox) first it works fine.

If I access Application 1 first and later Application 2, Application 2 URL is getting changed to https://x.y.z.w:8888 automatically. Even if I restart the browser, Application 2 URL getting redirected to https. After this the only way to solve this problem is to delete browser cache and access Application 2 first.

How to prevent Application 2 URL getting redirected to https automically?

SVGK Raju
  • 49
  • 6
  • This is due to httpHeaderSecurity default to true in tomcat 8 onwards. I am using apache-tomcat-9.0.11. Tried setting hstsEnabled as false using init-param for the filter httpHeaderSecurity. Still the same problem – SVGK Raju Oct 15 '19 at 18:12
  • More information about hsts https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security – SVGK Raju Oct 16 '19 at 06:05

2 Answers2

0

Added the below code for Application 1's tomcat web.xml file. This did not help me.

<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
        <param-name>hstsEnabled</param-name>
        <param-value>false</param-value>
    </init-param>
    <init-param>
        <param-name>hstsMaxAgeSeconds</param-name>
        <param-value>0</param-value>
    </init-param>
</filter>
SVGK Raju
  • 49
  • 6
0

This issue is fixed now. Added code in WebSecurityConfigurerAdapter of Spring boot application.

http
.headers()
  .httpStrictTransportSecurity()
    .includeSubDomains(false)
    .maxAgeInSeconds(0);

Regds -raju

SVGK Raju
  • 49
  • 6