tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Turner, John" <JTur...@AAS.com>
Subject RE: How to verify SSL/HTTPS behind Tomcat via AJP13
Date Tue, 25 Feb 2003 13:41:47 GMT

The return from getProtocol() is correct, AFAIK.  I don't believe there is a
HTTPS/1.1 or similar, but I could be wrong.

By "check protocol type" in the docs (agreed, it is unclear), I believe it
means to do one (or all) of the following:

- check the URL for "https"
- check the port number for the request
- use HttpServletRequest.isSecure(), though I think that will return "false"
when you use Tomcat via a connector with Apache....I've never tried it to be
sure.

John

> -----Original Message-----
> From: Ian Hunter [mailto:ihunter@hunterweb.net]
> Sent: Monday, February 24, 2003 9:26 PM
> To: Tomcat Users List
> Subject: How to verify SSL/HTTPS behind Tomcat via AJP13
> 
> 
> From 
> http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html -- "Any
> pages which absolutely require a secure connection should 
> check the protocol
> type associated with the page request and take the 
> appropriate action of
> https is not specified."
> 
> Also, "When running Tomcat primarily as a Servlet/JSP container behind
> another web server, such as Apache or Microsoft IIS, it is 
> usually necessary
> to configure the primary web server to handle the SSL connections from
> users. Typically, this server will negotiate all SSL-related 
> functionality,
> then pass on any requests destined for the Tomcat container only after
> decrypting those requests. Likewise, Tomcat will return 
> cleartext responses,
> that will be encrypted before being returned to the user's 
> browser. In this
> environment, Tomcat knows that communications between the 
> primary web server
> and the client are taking place over a secure connection (because your
> application needs to be able to ask about this), but it does 
> not participate
> in the encryption or decryption itself."
> 
> However, when I check "request.getProtocol()" I get 
> "HTTP/.1.1" even when
> I'm connecting via SSL (url shows https: and browser shows "lock" and
> confirms 128 bit SSL) -- what gives?
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message