tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Decker <>
Subject Re: Tomcat 5.5 / Apache 2 / Join (Tomcat-) Session with SSL-Session / Which mod should be used?
Date Fri, 19 May 2006 11:08:27 GMT

>> 1.) Which mod should I use?
> mod_proxy (is a supporting library in apache, which I think you need to
> load in order to use mod_proxy_ajp or mod_proxy_xyzanything).

The advantage seems to be, that it's easier to configure.

>> 2.) How to join application and SSL session?
>> I've read in an old tomcat-apache-ssl documentation [5] that mod_jk is
>> able to forward SSL session information to tomcat. So I wonder, how
>> configure tomcat using ssl session as application session.
> If you are front ending with apache, then you want mod_ssl.  If you are
> using mod_ssl it will handle the SSL session.

Yes of cause... You're right...

> The AJP protocol will convery the SSL information to tomcat fairly
> seamlessly, the idea being from the web-app's point of view it can't
> tell the difference between an Apache fronted HTTP session and one
> coming in via a AJP connector.

You mean, that the session will be created by apache not by tomcat?

> The AJP protocol is not secure from traffic snooping or secure again
> pirate connections hijacking it directly, if you intend to run both on
> the same machine I suggesting making Tomcat listen on

Yes, that is, what I'm going to do.

My problem is, that the application session (set by cookie or url
parameter) is not associated with the SSL session. And I hope, there is
an easy way to that.

Thanks a lot,

Michael Decker            
TESIS SYSware GmbH            
Baierbrunnerstr. 15 * 81379 Muenchen * Tel. +49 89 747377-0

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message