tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GOMEZ Henri <>
Subject RE: SSL Attributes
Date Mon, 17 Sep 2001 21:52:52 GMT

>Is the "Connector-over-SLL" issue even addressed by the spec? If the 
>front-end web server is handling all of the authentication, then isn't 
>securing the connectors simply securing the communication channel, 
>having nothing to do with authentication?

I doubt the connector case (web-server to tomcat) was ever 
discussed on spec )
>I could be wrong, I'm just asking. If the Tomcat container 
>itself is not 
>involved in the authentication process, one would not expect that a 
>webapp has access to the client cert anyway. Is that right?

Since WebServer (a least apache+mod_ssl) could allready handle
the strong authentification (requires + level of chain to check),
couldn't we just have in ajp13 the client cert  which will allow
developper extract needed information for client cert, known 
that the authentification is done elsewhere...

Any serious site will have a dedicated web-server handling the
SSL workload (in native code).

Best choice is Apache/SSL or Apache-mod_ssl with openssl, all
being 100% OpenSource :)

PS: Did Sun will ever opensourced JSSE ? Could someone here
    do some lobbying ? 
    It could be a project donated to jakarta or may be 
    the solution could came from Cryptix :)

View raw message