tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Security constrant to force SSL works with apache+tomcat?
Date Sat, 07 Dec 2002 02:35:25 GMT

On Fri, 6 Dec 2002, Milt Epstein wrote:

> Date: Fri, 6 Dec 2002 16:17:41 -0600 (CST)
> From: Milt Epstein <>
> Reply-To: Tomcat Users List <>
> To: Tomcat Users List <>
> Subject: Re: Security constrant to force SSL works with apache+tomcat?
> On 6 Dec 2002, Alexander Wallace wrote:
> > Thankyou david...  If i run tomcat standalone I can use
> > request.getRemoteAddr(), request.getRemoteHost(), and
> > request.getRemoteUser() to get some info I would love to have, but
> > if apache is in front of tomcat the info is always localhost and
> > null for the other methods, at least the way I'm doing it... So i
> > was wondering if there was a way to get the same info i get with
> > tomcat stand alone.
> I have apache in front of tomcat, and those methods work fine for me.
> So perhaps there is something else going on here, something in your
> configuration that is not right.
> > Pretty much what I want to do is run an app that will be open to the
> > public. It has a section that needs to be protected with ssl. And i
> > would like to use tomcat standalone but if i use tomcat's ssl, i
> > loose all objects i placed in the session before i swhitch to
> > https... Is there a way to be able to access those objects in the
> > non https session?
> AFAIK, pretty much no.  Doing so would be a security risk.  This has
> come up many times before, check the list archives.  General
> recommendation is to not switch between http and https, always use one
> or the other.

That's not quite right.

Starting a session in http and switching to https for the sensitive part
(i.e. fill your shopping cart on http and switch for the checkout page
that asks for your credit card number) is fine.

Switching from https to http, in the same session, is not fine.

> Also, I'm not sure I understand the need for using tomcat security
> constraints for forcing https usage when using apache in front of
> tomcat.  It makes more sense to me to configure the web server
> instances/pieces so that resources that need to be secure are only
> available via https.  You can control this by, for example, what
> DocumentRoot's the instances have, what tomcat webapps are
> "mounted"/available in the instances, etc.  That's what I do.  But
> maybe you're using a different model/setup/organization than I'm
> envisioning, one where it's not so easy to do that.  (Of course, one
> option there is to change your model.)

That's certainly a valid approach if you *are* running Tomcat behind
Apache, but what if you're running it standalone?  That's what the
<user-data-constraint> element of a security constraint is for.


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message