tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Gooding <josh.good...@gmail.com>
Subject Re: Need some SSL Config help.
Date Wed, 05 Aug 2009 12:52:28 GMT
nevermind, I think I made some headway on this and will ask this over on the
httpd list.  Thank you for getting me this far, I really appreciate it.


On Wed, Aug 5, 2009 at 8:50 AM, Josh Gooding <josh.gooding@gmail.com> wrote:

> *Andre wrote:
>
> The above is assuming that you would want all accesses which eventually go
> to Tomcat, to be under SSL from the client point of view.
> The idea is : SSL creates an overhead (encryption).  If the link between
> Apache and Tomcat is secure (such as, they both run on the same host, or
> they run on separate hosts, but both inside of your secure network), then
> you do not want to have an additional overhead by encrypting/decrypting the
> communications between Apache and Tomcat.*
>
> This is true.
>
> Next question then.  Is there a way to make just the login page (login.jsp)
> go through the SSL and nothing more?
>
>
>
>
> On Tue, Aug 4, 2009 at 4:18 PM, André Warnier <aw@ice-sa.com> wrote:
>
>> Josh Gooding wrote:
>>
>>> Update:
>>>
>>> So after re-re-reading the docs, since TC is not my standalone webserver,
>>> I
>>> should configure Apache (httpd) for SSL.  That seems to be what I am
>>> reading.
>>>
>>
>> Yes.
>>
>> Client -> SSL -> Apache -> Ap/To Connector -> non-SSL -> Tomcat
>>                            (e.g. mod_jk)                AJP Connector
>>
>> The above is assuming that you would want all accesses which eventually go
>> to Tomcat, to be under SSL from the client point of view.
>> The idea is : SSL creates an overhead (encryption).  If the link between
>> Apache and Tomcat is secure (such as, they both run on the same host, or
>> they run on separate hosts, but both inside of your secure network), then
>> you do not want to have an additional overhead by encrypting/decrypting the
>> communications between Apache and Tomcat.
>>
>> Second point of interest :
>> if, in the Tomcat <Connector> which accepts the requests from Apache, you
>> set the attribute "tomcatAuthentication=false", then Tomcat will "believe"
>> the user-id it gets from Apache, as being already authenticated by Apache,
>> and will use it within Tomcat as the user-id.
>>
>> Now you have thus moved the authentication issue back to Apache.
>>
>> Let's forget SSL for a minute.
>> Under Apache, you want to protect access to some or all areas of the
>> server (including the requests which you are going to forward to Tomcat), in
>> such a way that the user must be authenticated to access these areas.
>> There are different methods under Apache to force the user to
>> authenticate.  If you want to do it via your own login page though, then you
>> will have to find an Apache add-on module which allows you to do that,
>> because it is not built-in.
>> This, you should enquire about on the Apache httpd user's list.
>>
>> Let's now re-add SSL.
>>
>> In addition to the above, you would like the login dialog (login page and
>> client response to that login page) to happen under SSL, and the rest of the
>> conversation not.
>> That is not so easy as it may sound however.
>> So, when you enquire about a login page authentication method (on the
>> Apache httpd user's forum), you should make sure that you specify this
>> requirement clearly.
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message