Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Received-SPF: neutral (asf.osuosl.org: local policy)
Message-ID: <003a01c5d986$19f9e620$7037a8c0@nt.wilshire.com>
From: "Bill Barker" <wbarker@wilshire.com>
To: "Tomcat Developers List" <dev@tomcat.apache.org>
References: <435D4970.9070601@rowe-clan.net>
	 <00e201c5d8e3$959c6e40$7037a8c0@nt.wilshire.com>
	 <96e4b5230510241511p58422cc5n3d32a8550f741271@mail.gmail.com>
	 <435D822E.3060301@rowe-clan.net>
	 <96e4b5230510241831i5c8d252ek4b5d0f92827da0a2@mail.gmail.com>
	 <6291fc850510242321h3fca5e1am@mail.gmail.com>
 <96e4b5230510250815g58f0530dh24d63d013335b11@mail.gmail.com>
 <435E574E.9080502@rowe-clan.net>
Subject: Re: Status/Authority of AJP/1.5
Date: Tue, 25 Oct 2005 10:04:02 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="UTF-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


----- Original Message -----
From: "William A. Rowe, Jr." <wrowe@rowe-clan.net>
To: "Tomcat Developers List" <dev@tomcat.apache.org>
Cc: <hgomez@apache.org>
Sent: Tuesday, October 25, 2005 9:03 AM
Subject: Re: Status/Authority of AJP/1.5


> Costin Manolache wrote:
> >
> > Security ( i.e. authentication ) might be the only reason to extend
> > AJP - but even this can be done on top of the existing protocol, using
> > a custom header and connection initiation.
>
> Only partly true.  Let's take the HTTPS state, for example... if tomcat
looks
> for X-PROTOCOL=HTTPS, for example, passing this from the proxy as a
typical
> header is simply wrong for security reasons.  It's too trivial to fake,
and
> it's too expensive to guard against.
>
> The safe way is to have two header-types, one, a client HTTP-type header.
The
> other, proxy metadata such as the protocol, SSL keys and other server
variables.
> These wouldn't be relayed as HTTP-style headers, so therefore all sorts of
proxy
> to backend data can be trusted.
>

Urm, all of this is already part of the AJP/1.3 protocol, and now that BZ
#36883 is fixed, is working well in mod_proxy_ajp.  The main limitation with
the current protocol here is that AJP/1.3 only sends actual client-cert
instead of the entire chain.

One idea would be to expose the SSL data via a callback Msg, so that
Servlets that aren't going to look at it don't have to waste time asking
mod_ssl for the data.  But it's probably not that big of a deal.

> (FYI - w.r.t. the client/server certs, I don't suggest a full blown
mod_ssl
> type of decomposition.  If they want to tear apart the certificates, it
sure
> makes sense to introspect them through jsse, no?)
>
> Bill
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>


This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL.  If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments.

In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org