tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hawkins, Keith (Keith)" <kphawk...@avaya.com>
Subject RE: Workaround for IIS redirector + SSL problem ??
Date Tue, 16 Oct 2001 20:26:21 GMT
I seem to have a working solution where I use IIS to secure static .html
pages by setting the virtual directory options to require SSL.  Putting
a request.isSecure() check at the top of my JSP pages handles the
redirector problem.  If the isSecure() test fails, I do a
response.sendError(403).  Seems like a functional work-around.

-Keith


-----Original Message-----
From: Michael Risch [mailto:mrisch@computerlaw.com]
Sent: Monday, October 15, 2001 5:45 PM
To: tomcat-user@jakarta.apache.org
Subject: RE: Workaround for IIS redirector + SSL problem ??


You don't have to force the whole server - just one directory.  Further,
if you allow IIS to serve non-java (e.g. index.html/default.htm), then
IIS should force SSL for that page.

>>> kphawkins@avaya.com 10/15/01 01:00PM >>>
Another problem I noticed is that the HttpRequest.getAuthType() returns
"null" even if I redirect from an HTML page that is SSL protected by IIS
to a JSP page.  Shouldn't at least the auth type be preserved??  

I was hoping to put a check at the top of my JSP pages to make sure the
getAuthType() returns "SSL".  But alas..this does not work either.  I
get null regardless of how I arrive at the JSP page.  Even if I type the
URL to the JSP page directly and use https in the URL.

The problem we have is that we are developing a web application that
gets installed and run by our clients on their web servers.  We want to
make SSL an option but not a requirement.  Forcing SSL on the entire web
server may be not what our clients wish.

Can the SSL fix to the redirector be expected in the next few months or
not?  You mentioned a need to detect the IIS version in order to correct
the problem.  Couldn't the IIS version be added as value in a Tomcat
config file (wrapper.properties maybe) to avoid having to dynamically
determine the value?

-Keith

-----Original Message-----
From: Ignacio J. Ortega [mailto:nacho@siapi.es] 
Sent: Monday, October 15, 2001 3:04 PM
To: 'tomcat-user@jakarta.apache.org' 
Subject: RE: Workaround for IIS redirector + SSL problem ??


The problem is not general, you can use SSL in IIS and get tomcat to
work with IIS seamlesly and using SSL, what you can not do ( AFAIK) is
to config IIS in the way you propose to only protect by SSL one virtual
dir, but what you can do as Michael points, is to install a SSL
certificate in the entire iis and later making a redirection to the
https url.. without problems..

Well one problem , the redirections to work from http to https needs a
JSSE installation in the server machine.., 

Saludos ,
Ignacio J. Ortega


> -----Mensaje original-----
> De: Hawkins, Keith (Keith) [mailto:kphawkins@avaya.com] 
> Enviado el: lunes 15 de octubre de 2001 20:02
> Para: tomcat-user
> Asunto: Workaround for IIS redirector + SSL problem ??
> 
> 
> 
> I received a reply to my post regarding configuring IIS redirector for
> use with SSL. (See below.)
> 
> The reply indicates that the IIS redirector has the unfortunate
> side-effect of bypassing SSL security and that a patch for the problem
> is in the works but won't be available immediately.  
> 
> So what are my options?   Can I follow the instructions for having
> Tomcat perform SSL and still use the IIS redirector?  Will that even
> work?
> 
> Any suggestions are welcome.  I am sure that I am not the only one who
> needs SSL + IIS redirector simultaneously.  What are other 
> people doing
> to get past this problem?
> 
> Thanks,
> Keith
> 
> 
> 
> 
> 
> 


Mime
View raw message