tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Todd <>
Subject Re: config diag, etc
Date Wed, 04 Aug 1999 23:44:06 GMT
Troy Poppe wrote:
> > my thoughts on security was, assuming http/s cgi compliant protocol,
> > use a cookie or url-rewriting scheme (hence the servlet "candidate
> > implemenation" bubble in the config service quadrant).
> Can we safely assume that there is an implementation of http/s for
> all admin tool platforms? (ie. J2SE)  We can't really say, go buy an
> SSL implementation to use our configuration service safely.

yep. if we go http (as i feel should be one of the baseline
api/protocol hooks) then we'll need to dive down see what this
entails regarding https/ssl. there are a few free ssl
implementations out there and i also believe that more will be
showing up. the ssl implemenation used by the client and that
used by the config service need not be the same ... as long as
they can interact. so, is there a sufficient wealth of good
ssl packages available for the clients (apache, tools) at hand?

stepping back a bit, if we go with http and don't really care
about the transport encryption piece a bit (i'm not necessarily
advocating this is the right thing to do) perhaps our security
concerns could be addressed with a stateful request protocol
where by:

	client "logs in" via url form/encoding data means

	a cookie or session id is returned

	the client will include the cookie and/or session id
	in all subsequent http requests in order to associcate
	the request with the server side security constraints

perhaps https/ssl could be considered an option at this
point if folks are cool with transporting the data in the
clear with the understanding that at some time we can
introduce ssl at the transport layer.

now, shifing to the implemenation side of the brain for a
moment, the servlet api can be used to help on the configuration
service side of this equation quite nicely and also is a
pretty important aspect of the jakarta initiative in full.
tomcat can be used to proto an http configuration service/broker/
manager while interacting with a number of distinct clients
yet keeping the transactional data of each independent.

- james

View raw message