tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
Date Mon, 25 Jan 2010 16:17:09 GMT
Hash: SHA1


On 1/22/2010 5:09 PM, Matt Turner wrote:
> In between times I tried the ProxyPass which seems to work fine, but I'd much rather
use plain AJP so I'll try that next.

AJP is the protocol used by both mod_jk and mod_proxy_ajp (which is what
you get if you use ProxyPass with an ajp:// URL). Which one depends on
your requirements:

mod_proxy_ajp is bundled with Aapche httpd and therefore has (usually)
no additional compilation and/or configuration to perform. Also, all
configuration for URL mapping, etc. occurs within httpd.conf.

mod_jk is separate and should be compiled on the target system, which is
inconvenient for some users. mod_jk is much older and had therefore
undergone much more in the way of testing in the wild. While
configuration can be done in httpd.conf, historically it's always been
done in an external file with a proprietary format, which increases

In my experience, mod_jk is better with complex configurations than
mod_proxy_ajp, but mod_proxy_ajp is much more convenient for simple

> I've had problems previously getting CAS working where the SSL is
> handled by the webserver - however from what everyone has said and
> having read around the issue a bit more, it does sound like using AJP
> ought to work, so long as Apache is configured to pass through all the
> relevant SSL and cert. info to tomcat (presumably so that isSecure() can
> work, plus I think CAS validates certificates too).

This will work: I've recently been playing around with client
certificates passed-through Apache httpd and it worked quite well once
the stars aligned for me (and I upgraded certain components that had
known issues with SSL cert chains).

I had Apache httpd validate the certs and then pass them through to
Tomcat, where I performed a manual certification-checking process as a
double-check as well as to pull some information from the cert for
identification purposes.

Good luck,
- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message