Is security-constraint configuration for Tomcat mandatory?

Question

In order to do an SSL Configuration testing under Tomcat, is this all mandatory?

This below line is taken from a website:

In order to do this for our test, take any application which has already been deployed successfully in Tomcat and first access it through http and https to see if it works fine. If yes, then open the web.xml of that application and just add this XML fragment before web-app ends i.e </web-app>:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>securedapp</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Is this configuration is mandatory to do inside a web.xml file ??

Answer 1

No, it's not necessary. It means that your web application only available through HTTPS (and not available through HTTP).

If you omit the <transport-guarantee>CONFIDENTIAL</transport-guarantee> tag (or the whole <security-constraint>) your application will be available through both HTTP and HTTPS. If your web.xml contains <transport-guarantee>CONFIDENTIAL</transport-guarantee> Tomcat automatically redirects the requests to the SSL port if you try to use HTTP.

Please note that the default Tomcat configuration does not enable the SSL connector, you have to enable it manually. Check the SSL Configuration HOW-TO for the details.

Answer 2

If you check closer, the blog explains that further:

Any resource in your application can be accessed only with HTTPS be it Servlets or JSP’s. The term CONFIDENTIAL is the term which tells the server to make the application work on SSL. If you want to turn the SSL mode for this application off then just turn don’t delete the fragment. Just put the value as NONE instead of CONFIDENTIAL.