tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cédric Couralet <cedric.coura...@gmail.com>
Subject Re: Apache HTTP + Tomcat + SSL
Date Mon, 30 Sep 2013 14:06:48 GMT
Hi,

2013/9/30 André Warnier <aw@ice-sa.com>:
> Hi.
>
[...]
> The question is now : why does that application require HTTPS ?
> An application usually doesn't care how it is accessed, except if some
> configuration of the application requires it to get some information from
> the SSL protocol (like a user certificate or so).  What does this
> application need ?
>
>

I don't agree, the application should know how it is accessed, if only
because some pages may require SSL (all page under an auth-constraint)
and others not, and it should not be delegated to apache but required
at the tomcat level. I really think that saying to an application  "do
not care about SSL it is our problem"  will lead to all sort of
security incomprehension in the future.
Espcially when it is as easy as adding a valve in server.xml to do so
(as said by Daniel Mikusa), or if it is an option, configuring AJP
between tomcat and httpd, which then requires nothing on the tomcat
side.

Cédric

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message