tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <cost...@covalent.net>
Subject Re: Tomcat to support other keystore types?
Date Thu, 08 Nov 2001 16:18:48 GMT
On Wed, 7 Nov 2001, Bill Barker wrote:

> Thanks for the suggestion (and the Class).  This has been itching me for
> some time.  I've just added it to the 3.3 branch, and changed the
> HttpServletResponseFacade to use it.
>
> I view Costin's points as being really orthoginal to this problem.  His case
> is that it should be possible to make a https connection without installing
> JSSE in lib/ext.  This problem is that it is possible (via Apache+Tomcat) to
> have an SSL server, without otherwise having any need to have JSSE anywhere
> on the machine.

Actually my point is that webapps should also be able to use
java.net.URL(https:), since apache-SOAP, jaxm, etc do need that.

The problem is that installing JSSE in WEB-INF/lib or lib/common or
anywhere but in CLASSPATH seem to fail in most VMs. That's because
java.net.URL is using Class.forName() and doesn't seem to take the
thread class loader ( or the common class loader, which is a child )
in consideration.

So either change the startup to include JSSE in CLASSPATH, or add
the URLHandlerFactory ( which can solve additional problems - like
adding other protocols with handlers in the webapp ). Of course,
one question is the security implications - but we can force
URLHandlerFactory to look only in lib/common or trusted apps.


Costin


> ----- Original Message -----
> From: "Craig R. McClanahan" <craigmcc@apache.org>
> To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>; "Bill Barker"
> <william.barker@wilshire.com>
> Cc: <jfrederic.clere@fujitsu-siemens.com>
> Sent: Wednesday, November 07, 2001 3:45 PM
> Subject: Re: Tomcat to support other keystore types?
>
>
> >
> >
> > On Wed, 7 Nov 2001, Bill Barker wrote:
> >
> > > Date: Wed, 7 Nov 2001 10:40:22 -0800
> > > From: Bill Barker <wbarker@wilshire.com>
> > > Reply-To: Tomcat Developers List <tomcat-dev@jakarta.apache.org>,
> > >      Bill Barker <william.barker@wilshire.com>
> > > To: Tomcat Developers List <tomcat-dev@jakarta.apache.org>,
> > >      jfrederic.clere@fujitsu-siemens.com
> > > Subject: Re: Tomcat to support other keystore types?
> > >
> > > And, indeed, for tomcat+apache, we don't use JSSE (except to allow for
> url
> > > rewriting ;).
> >
> > The need for this was reported as a bug on Tomcat 4 :-).  We fixed it by
> > implementing a class similar to java.net.URL
> > (org.apache.catalina.util.URL) for the express purpose of being able to
> > create https URLs without the JSSE classes being available.  Feel free to
> > use it (and the associated JUnit test case) in 3.3.
> >
> > Craig
> >
> >
>
>
> *----*
>
> This message is intended only for the use of the person(s) listed above
> as the intended recipient(s), and may contain information that is
> PRIVILEGED and CONFIDENTIAL.  If you are not an intended recipient,
> you may not read, copy, or distribute this message or any attachment.
> If you received this communication in error, please notify us immediately
> by e-mail and then delete all copies of this message and any attachments.
>
>
> In addition you should be aware that ordinary (unencrypted) e-mail sent
> through the Internet is not secure. Do not send confidential or sensitive
> information, such as social security numbers, account numbers, personal
> identification numbers and passwords, to us via ordinary (unencrypted)
> e-mail.
>
> --
> To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message