tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Need some SSL Config help.
Date Tue, 04 Aug 2009 20:18:15 GMT
Josh Gooding wrote:
> Update:
> So after re-re-reading the docs, since TC is not my standalone webserver, I
> should configure Apache (httpd) for SSL.  That seems to be what I am
> reading.


Client -> SSL -> Apache -> Ap/To Connector -> non-SSL -> Tomcat
                             (e.g. mod_jk)                AJP Connector

The above is assuming that you would want all accesses which eventually 
go to Tomcat, to be under SSL from the client point of view.
The idea is : SSL creates an overhead (encryption).  If the link between 
Apache and Tomcat is secure (such as, they both run on the same host, or 
they run on separate hosts, but both inside of your secure network), 
then you do not want to have an additional overhead by 
encrypting/decrypting the communications between Apache and Tomcat.

Second point of interest :
if, in the Tomcat <Connector> which accepts the requests from Apache, 
you set the attribute "tomcatAuthentication=false", then Tomcat will 
"believe" the user-id it gets from Apache, as being already 
authenticated by Apache, and will use it within Tomcat as the user-id.

Now you have thus moved the authentication issue back to Apache.

Let's forget SSL for a minute.
Under Apache, you want to protect access to some or all areas of the 
server (including the requests which you are going to forward to 
Tomcat), in such a way that the user must be authenticated to access 
these areas.
There are different methods under Apache to force the user to 
authenticate.  If you want to do it via your own login page though, then 
you will have to find an Apache add-on module which allows you to do 
that, because it is not built-in.
This, you should enquire about on the Apache httpd user's list.

Let's now re-add SSL.

In addition to the above, you would like the login dialog (login page 
and client response to that login page) to happen under SSL, and the 
rest of the conversation not.
That is not so easy as it may sound however.
So, when you enquire about a login page authentication method (on the 
Apache httpd user's forum), you should make sure that you specify this 
requirement clearly.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message