disable https on localhost only

Question

I'm using tomcat 7 and I would like to disable SSL traffic origination from localhost only! and enable it for inbound traffic.

I have added the following config to web.xml and it's currently redirects traffic from http to https.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>app</web-resource-name>
        <url-pattern>/info</url-pattern>
    </web-resource-collection>
    <!-- OMIT auth-constraint -->
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>app</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>Role</role-name>
    </auth-constraint>
</security-constraint>

I have a custom backup tool on my server that doesn't work with HTTPs therefore I'm looking to disable HTPPs on localhost.

Answer 1

you can comment below line in your server.xml file.

<Connector port="8443" ... SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS" ... />

hope this will help !!

Answer 2

You can disable specific url just putting NONE on transport-guarantee tag, check Is security-constraint configuration for Tomcat mandatory?

<security-constraint>
    <web-resource-collection>
        <web-resource-name>securedapp</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>securedapp</web-resource-name>
        <url-pattern>/info/*</url-pattern>
        <url-pattern>/info2/*</url-pattern>
        <url-pattern>/info3/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>