tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cédric Couralet <>
Subject Re: Apache HTTP + Tomcat + SSL
Date Mon, 30 Sep 2013 14:15:40 GMT
2013/9/30 Christopher Schultz <>:
> Hash: SHA256
> Cédric,
> On 9/30/13 10:06 AM, Cédric Couralet wrote:
>> Hi,
>> 2013/9/30 André Warnier <>:
>>> Hi.
>> [...]
>>> The question is now : why does that application require HTTPS ?
>>> An application usually doesn't care how it is accessed, except if
>>> some configuration of the application requires it to get some
>>> information from the SSL protocol (like a user certificate or
>>> so).  What does this application need ?
>> I don't agree, the application should know how it is accessed, if
>> only because some pages may require SSL (all page under an
>> auth-constraint) and others not, and it should not be delegated to
>> apache but required at the tomcat level. I really think that saying
>> to an application  "do not care about SSL it is our problem"  will
>> lead to all sort of security incomprehension in the future.
>> Espcially when it is as easy as adding a valve in server.xml to do
>> so (as said by Daniel Mikusa), or if it is an option, configuring
>> AJP between tomcat and httpd, which then requires nothing on the
>> tomcat side.
> Some solutions require nothing on the Tomcat site (hint: mod_jk does
> all this auto-magically).

I didn't say otherwise (

>> "configuring
>> AJP between tomcat and httpd, which then requires nothing on the
>> tomcat side" )

I just reacted to the saying that an application could not care
whether it was accessed with SSL or not, I think the choice of https
over http is an application choice and it could be dangerous to say
that it is not important for an application to think about it.

I agree with all the rest, just that sentence which made me uneasy (in
lack of a better term ).


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message