tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From C├ędric Couralet <cedric.coura...@gmail.com>
Subject Re: SSLAuthenticator question
Date Fri, 26 Apr 2013 18:46:46 GMT
Hi,

2013/4/26 Jeffrey Janner <Jeffrey.Janner@polydyne.com>:
> Ok, I know I've been doing this for awhile and should probably know better, but....
>
> Since long ago (4.x?), at the guidance of some long-gone developers, I've been adding
the following to our app_context.xml file for instances where we are expecting to use SSL
protocol for communications.  Note we are not using SSL-Client-Authentication, which is what
I've recently discovered this valve actually implements. I actually use a security-constraint
to force the conversation to the SSL port.  So with that background, am I getting any beneficial
side-effects from this, and, if so, is there a better way to get the same results?
>   <Valve className="org.apache.catalina.authenticator.SSLAuthenticator"
>         securePagesWithPragma="false" />

If I'm not wrong , the authenticators are not called if the request is
not constrained to an auth-constraint. If it was, you would need a
client certificate to access your web app (ensured by that
authenticator). So no in your case.

> From the definition of the parameter, I am at least turning off some IE-incompatible
headers that control proxy-caching.

Not even that, if you really have no auth-constraint then there is no
justification to keep this authenticator in the context.

>
> FYI: Currently deployed on Tomcat 6.0.27 and higher, and starting the transition to Tomcat
7.0.latest.
>
> Jeff
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message