tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Warner Onstine" <onst...@intalio.com>
Subject Re: Request is secure is wrong...
Date Mon, 03 Jul 2000 17:32:09 GMT

----- Original Message -----
From: <costin@eng.sun.com>
To: <tomcat-dev@jakarta.apache.org>
Sent: Friday, June 30, 2000 12:33 PM
Subject: Re: Request is secure is wrong...


> > Finally did some research on this.
> >
> > the HttpServletRequest.setScheme("https") is not being called anywhere
with
> > Tomcat to let it know that this is indeed a secure connection.  Where
should
> > we be adding this critical information?
>
> I have no idea :-)
>
> The only one who knows the request is secure is the SSL adapter. In case
> of Apache - the Ajp/JNI adapter will set the request.
>
> In case of standalone, the connector knows about this. We can either add
> a connector attribute ( and you set it to true if you also set a SSL
> factory ) or you can add a new method in SocketFactory to ask the factory
> if it can the transport is secure.
>
> What I would do is add a processRequest( Request req ) in SocketFactory (
> as a hack ), and the method will also add certificates or whatever is
> necesary.

Does processRequest automatically get called when a factory is created?

> SSLSocketFactory  needs a bit more "power" - it will also be used for
> cert. authentication, etc.

Have you looked at the patch I submitted?  It now allows the user to specify
Client Authentication, once that is turned on it automatically goes through
the certificate chain and verifies they are who they say they are.  What
other attributes do you think are need in the SSLSocketFactory?

> Costin

-warner


Mime
View raw message