tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David H Elrod <dhel...@rivendell.com>
Subject Re: Tomcat + SSL
Date Mon, 05 Jun 2000 18:04:23 GMT

Scott,
My approach was to use ServletRequest.getServerPort()
to see if the connection was via SSL.

I tried
  HttpServletRequest.getAuthType() 
and
  ServletRequest.isSecure()
among other calls, but they don't seem to be implemented in Tomcat
yet. However, ServletRequest.getServerPort() returns "80" when I
call it via HTTP, and "443" when I call it via HTTPS. My browser
(Linux Netscape 4.73) shows the little lock that means it is a
secure connection, and my SSL log shows an SSL transaction, so
I ***think*** this is a good way.

The servlet code I use is:

	int port = request.getServerPort();
	if (port != 443) { return; }

which returns if the connection didn't come in via port 443.


If you find a better way, please let me know! :>

David

> Let me make sure I understand you.
> 
> > Configure Tomcat to only use the "ajpv12" protocol (in the
> > server.xml file). Have Apache handle all http/https
> > traffic.
> 
> This simply shuts down Tomcat's http server, right?
> 
> > In the "tomcat.conf" file (which will be read in at the end of your
> > httpds.conf file) put lines similar to the following:
> > ApJservMount /examples ajpv12://localhost:8007/examples
> 
> (I'm assuming "httpds.conf" was simply a typo, and not a config file that I
> am unaware of. Is that right?)
> 
> This routes any Apache requests with an URL pattern of /examples to Tomcat,
> regardless of the underlying protocol, right? If so, how do you allow only
> https (encrypted) requests to get to Tomcat, rejecting http (plain text)
> requests? Is there a mechanism for catching this at the web server level, or
> must each servlet check the encryption status of the request?
> 
> As I think about this it seems more like a web server issue than a Servlet
> container issue. Perhaps there is a way to tell Apache to only allow
> encrypted access to a particular URL pattern. Surely this facility must
> exist to protect static pages. If so, Apache could catch the request and
> deny it before it as ever forwarded to Tomcat.
> 
> Does anyone know?
> 
> ====================================================
> A. Scott White
> Director of Information Systems and Product Strategy
> ACS Healthcare Solutions Group


-------------------------------------------------------------------
David Hunter Elrod                   Rivendell Technologies, Inc
dhelrod@rivendell.com                1111 W. El Camino #109, PMB348
http://www.rivendell.com             Sunnyvale, CA 94087-0126
Voice: 650/254-1790                  Fax: 650/254-1792

Mime
View raw message