tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <>
Subject Re: svn commit: r465303 - in /tomcat/tc6.0.x/trunk: java/org/apache/coyote/http11/ java/org/apache/tomcat/util/net/ webapps/docs/ webapps/docs/config/
Date Wed, 18 Oct 2006 20:51:02 GMT
Mladen Turk wrote:
>> I have two suggestions
>> 1. The SSLEngine attribute should be in the APR lifecycle listener, 
>> and not in the connector, since its static, I can't have more than 
>> one, so why do I have to define it more than once.
> This would require doubling directives for enabling SSL, once in
> Listener and once in Connector.
>> 2. Add a SSLEnabled (or sslEnabled) attribute to the connector with 
>> only true/false values.
>> The goal from the beginning was consistency, and also support 
>> secure=true scheme=https even though its not actually running SSL, a 
>> pretty important feature.
> I agree, but then SSLEngine implicitly enables ssl processing with APR
> connector, while on other it would depend on scheme.
> Perhaps we should consider scheme for enabling ssl in APR as well
> and if SSLEngine != Off && sheme=https then calling SSL.initialize
My suggestion would be this:

<Listener className="org.apache.catalina.core.AprLifecycleListener" 

<Connector port="8444" scheme="https" secure="true" 
protocol="org.apache.coyote.http11.Http11AprProtocol" SSLEnabled="true"/>
<Connector port="8555" scheme="https" secure="true" 
protocol="org.apache.coyote.http11.Http11AprProtocol" SSLEnabled="false"/>

[1] - this calls SSL.initialize if the value is set to anything but "off".
[2] - this is a SSL connector, handshake/encryption/decryption is done 
by Tomcat
[3] - this is a non SSL connector, but tricking the application to think 
it is, in this example, my network card does the SSL enc/dec, and passes 
HTTP to tomcat

It's the [3] feature I am looking after, as APR already has this, but 
hidden into the connector.
[3] is accomplished with APR today like this,
<Connector port="8666" scheme="https" secure="true" 
protocol="org.apache.coyote.http11.Http11AprProtocol" SSLEngine="off"/>
But this functionality should exist for the java connectors as well.

The benefits:
1. SSL.initialize is only called once per VM, I can add multiple APR SSL 
2. [3] & [4] have the same attributes, I could swap out 
Http11AprProtocol with Http11NioProtocol or Http11Protocol
3. Consistency across the connectors

does this make sense, no connector depends on "secure" or "scheme" these 
are just values passed onto the request if the admin wants to force 
those values.

> Regards,
> Mladen.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message