tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Cleartrust RSA integration
Date Sun, 20 Jun 2010 09:37:34 GMT
Ron McNulty wrote:
> Hi All
> We are thinking of bringing some of our apps off proprietary J2EE 
> servers to Tomcat. We would be deploying on Tomcat 6 (latest), JVM 1.6 
> and Linux on a VM (not sure of versions). One of the requirements is to 
> authenticate using RSA Cleartrust.
>> From my reading, Tomcat does not support this. The recommended 
>> solution is 
> to front Tomcat with Apache, and let Apache do the Cleartrust integration.
> The links I have found are a bit ancient - are my assumptions still 
> correct? Also, our system architects seem to think this setup is 
> insufficiently secure - comments?
Assuming the Apache Cleartrust authentication is secure..
If Apache authenticates a request, and if the Apache/Tomcat connector is mod_jk, then the

authenticated user-id is propagated from Apache to Tomcat (*).
(Additionals info could be propagated via additional HTTP headers, or "request attributes").
If the link between Apache and Tomcat is secure (like for example both run on the same 
machine and the connection is purely internal), then there is no reason why this would be

less secure.

(*) whether Tomcat actually uses it, is determined by the "tomcatAuthentication" attribute

of the AJP <Connector>.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message