tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Apache HTTP + Tomcat + SSL
Date Mon, 30 Sep 2013 14:33:56 GMT
Cédric Couralet wrote:
> 2013/9/30 Christopher Schultz <>:
>> Hash: SHA256
>> Cédric,
>> On 9/30/13 10:06 AM, Cédric Couralet wrote:
>>> Hi,
>>> 2013/9/30 André Warnier <>:
>>>> Hi.
>>> [...]
>>>> The question is now : why does that application require HTTPS ?
>>>> An application usually doesn't care how it is accessed, except if
>>>> some configuration of the application requires it to get some
>>>> information from the SSL protocol (like a user certificate or
>>>> so).  What does this application need ?
>>> I don't agree, the application should know how it is accessed, if
>>> only because some pages may require SSL (all page under an
>>> auth-constraint) and others not, and it should not be delegated to
>>> apache but required at the tomcat level. I really think that saying
>>> to an application  "do not care about SSL it is our problem"  will
>>> lead to all sort of security incomprehension in the future.
>>> Espcially when it is as easy as adding a valve in server.xml to do
>>> so (as said by Daniel Mikusa), or if it is an option, configuring
>>> AJP between tomcat and httpd, which then requires nothing on the
>>> tomcat side.
>> Some solutions require nothing on the Tomcat site (hint: mod_jk does
>> all this auto-magically).
> I didn't say otherwise (
>>> "configuring
>>> AJP between tomcat and httpd, which then requires nothing on the
>>> tomcat side" )
> I just reacted to the saying that an application could not care
> whether it was accessed with SSL or not,

that is not what I said.

  I think the choice of https
> over http is an application choice and it could be dangerous to say
> that it is not important for an application to think about it.

and that also not.

> I agree with all the rest, just that sentence which made me uneasy (in
> lack of a better term ).

I said "An application *usually* doesn't care how it is accessed".
Most applications do not.  Some do.
But I would argue that this would not be such a good design, because it removes 
flexibility in the application.  It would mean that the application then cannot work in a

context where there is no need for strong security, and that you always pay the SSL 
penalty, even when you do not really need it. The configuration "around" the webapp allows

to put whatever level of security you need, without having to change the application code.
Except in some cases, and that is why we were asking what *this* application really needs.

Tout est dans la nuance..

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message