tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From C├ędric Couralet <>
Subject Re: SSLAuthenticator question
Date Fri, 26 Apr 2013 18:46:46 GMT

2013/4/26 Jeffrey Janner <>:
> Ok, I know I've been doing this for awhile and should probably know better, but....
> Since long ago (4.x?), at the guidance of some long-gone developers, I've been adding
the following to our app_context.xml file for instances where we are expecting to use SSL
protocol for communications.  Note we are not using SSL-Client-Authentication, which is what
I've recently discovered this valve actually implements. I actually use a security-constraint
to force the conversation to the SSL port.  So with that background, am I getting any beneficial
side-effects from this, and, if so, is there a better way to get the same results?
>   <Valve className="org.apache.catalina.authenticator.SSLAuthenticator"
>         securePagesWithPragma="false" />

If I'm not wrong , the authenticators are not called if the request is
not constrained to an auth-constraint. If it was, you would need a
client certificate to access your web app (ensured by that
authenticator). So no in your case.

> From the definition of the parameter, I am at least turning off some IE-incompatible
headers that control proxy-caching.

Not even that, if you really have no auth-constraint then there is no
justification to keep this authenticator in the context.

> FYI: Currently deployed on Tomcat 6.0.27 and higher, and starting the transition to Tomcat
> Jeff

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message