tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Freyr Stefansson <>
Subject RE: Tomcat 3.2 SSL question
Date Wed, 06 Sep 2000 17:35:02 GMT
Ok... now we're getting somewhere...  This is something which may be the
thing we need to do.
I am, however, not familiar with what you're talking about when you talk
about the "Interceptor or Valve interfaces / base classes" but I'm guessing
that this may be some class that Tomcat uses for the connections.  Any
additional information on this would be very much appreciated.  I've gone
through the source files of Tomcat and found no "" nor
"" files...  (I also looked at the generated javadoc files).  Does
this have anything to do with the socketFactory or Connector/Handler
parameters in the server.xml file in the tomcat "conf" directory?  If I
"implement these classes on my own" where would I use them?  Will they be
dynamic (like with a conf file where you can select which implementation to
use) or will they replace the previous ones?

If you could either explain to me a little bit more about this or point me
to a place where I could find out more that would be greatly appreciated.

Thanks in advance,
	Stefan Freyr

-----Original Message-----
From: Nick Bauman []
Sent: 6. september 2000 15:24
Subject: RE: Tomcat 3.2 SSL question


It sounds more like what you are describing is a "strong extranet" type of
authentication with client-side as well as server-side certificates are
utilized (aka SSL v.3)

So the question recast might be: "does Tomcat have support for SSL
v.3"? Surely the SSL libraries used with Tomcat does, which means if
tomcat doesn't have "out-of-box" support for it, you could implement it
via the Interceptor or Valve interfaces / base classes yourself. No?

On Wed, 6 Sep 2000, Stefan Freyr Stefansson wrote:

> Thank you for this reply Costin and I'm sorry for the delay of replying to
> it...
> The problem is that we don't use Apache + Tomcat.  The reason for this is
> that we do not need a high performance http server and Apache would be
> too big to integrate into our project.  Therefore we are using Tomcat.
> So I would like to get some info on HOW two way authentication in Tomcat
> done... can anybody point me in the right direction?
> Thanks again in advance.
> Stefan
> -----Original Message-----
> From: Costin Manolache []
> Sent: 30. agust 2000 16:30
> To:
> Subject: Re: Tomcat 3.2 SSL question
> > My first question is the obvious one.  When is Tomcat 3.2 final supposed
> to
> > come out?
> To quote Jon:
> When it's ready.
> Few weeks ago I would have hoped for a faster release, but seeing the
> amount of testing and detailing that's going on I would wait a bit more.
> ( documentations, script improvements, all kind of fixes, etc.). My
> is that's very close.
> > start bugging you guys about it.  But... I would like to know if Tomcat
> 3.2
> > SSL (once I get it up and running) supports two way authentication.  I
> need
> > the client to be able to verify that he/she is talking to the server
> he/she
> > believes he/she is talking to... (a lot of he/she's in there... anything
> to
> > be politically correct ;o) But I also need to be able to verify that the
> > client is who he/she says he/she is (this is ridiculous).  For that I
> > two way authentication.
> Probably it's he/she/it ( the browser is the client most of the time ).
> I never tested this feature, but I saw few reports that it works.
> If you use Tomcat + Apache then you can just use the Apache's
> SSL for mutual authentication ( it should work faster too )
> > One other thing is about the licencing.  Our plan is to integrate Tomcat
> > into one of our own products.  The product is not a commercial product
> > very unlikely that anybody could benefit from using this thing except
> my
> > company...  I would like to know if it is allright to use Tomcat in such
> > way?  Are there any limitations or fees???  We looked at the licence
> > that came with the Tomcat download and the way we understood that was
> > we could basically use it any which way we wanted given that we included
> > some things in our manual and didn't change the headers of the source
> files
> > (you know... the thing whith all the copyright thingys and such).
> AFAIK you can do anything you want except claim it's yours :-)
> This is a frequent question - maybe we should add something on the
> web page.
> Costin
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message