Return-Path: 
 <dev-return-43166-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 9248 invoked from network); 20 Jul 2004 16:10:19 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur-2.apache.org with SMTP; 20 Jul 2004 16:10:19 -0000
Received: (qmail 55946 invoked by uid 500); 20 Jul 2004 16:09:57 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 55844 invoked by uid 500); 20 Jul 2004 16:09:56 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
list-post: <mailto:dev@httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 55766 invoked by uid 99); 20 Jul 2004 16:09:56 -0000
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received: from [212.13.199.152] (HELO castlerea.stdlib.net) (212.13.199.152)
  by apache.org (qpsmtpd/0.27.1) with ESMTP; Tue, 20 Jul 2004 09:09:54 -0700
Received: from colmmacc by castlerea.stdlib.net with local (Exim 4.20)
	id 1BmxBg-0000AV-A3; Tue, 20 Jul 2004 17:09:52 +0100
Date: Tue, 20 Jul 2004 17:09:52 +0100
From: Colm MacCarthaigh <colm@stdlib.net>
To: Manni Wood <mwood@digitas.com>
Cc: dev@httpd.apache.org
Subject: Re: Invitation to HTTPD commiters in tomcat-dev
Message-ID: <20040720160952.GA605@castlerea.stdlib.net.>
Reply-To: colm@stdlib.net
References: <30C025BBA30D3343935890628BCCEA32AEDD9B@BOSEXVS2.digitas.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <30C025BBA30D3343935890628BCCEA32AEDD9B@BOSEXVS2.digitas.com>
User-Agent: Mutt/1.3.28i
X-Virus-Checked: Checked
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

On Tue, Jul 20, 2004 at 12:08:01PM -0400, Manni Wood wrote:
> Along with the ability for your back-end servlets to get a correct
> value from ServletRequest.isSecure() depending on whether or not
> Apache was originally contacted with HTTP vs HTTPS?

Personally, I always use Apache to authenticate such things directly
before allowing anything to execute. By allowing the script to
authenticate it, the thing is already running and I'm already prone to
whatever some scripter's idea of secure programming is - so there's
hardly a point.

It's much simpler to just not proxy if the originating request wasn't
SSL. But if it's really neccessary that it be conditional, use an X- header, 
or a query string :-)

-- 
Colm MacC�rthaigh                        Public Key: colm+pgp@stdlib.net