Is security-constraint configuration for Tomcat mandatory?

No, it’s not necessary. It means that your web application only available through HTTPS (and not available through HTTP).

If you omit the <transport-guarantee>CONFIDENTIAL</transport-guarantee> tag (or the whole <security-constraint>) your application will be available through both HTTP and HTTPS. If your web.xml contains <transport-guarantee>CONFIDENTIAL</transport-guarantee> Tomcat automatically redirects the requests to the SSL port if you try to use HTTP.

Please note that the default Tomcat configuration does not enable the SSL connector, you have to enable it manually.
Check the SSL Configuration HOW-TO for the details.

Leave a Comment