Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B1478105BE for ; Mon, 30 Sep 2013 14:07:22 +0000 (UTC) Received: (qmail 81820 invoked by uid 500); 30 Sep 2013 14:07:17 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 81780 invoked by uid 500); 30 Sep 2013 14:07:15 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 81764 invoked by uid 99); 30 Sep 2013 14:07:14 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 30 Sep 2013 14:07:14 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of cedric.couralet@gmail.com designates 209.85.215.50 as permitted sender) Received: from [209.85.215.50] (HELO mail-la0-f50.google.com) (209.85.215.50) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 30 Sep 2013 14:07:09 +0000 Received: by mail-la0-f50.google.com with SMTP id gx14so4508017lab.37 for ; Mon, 30 Sep 2013 07:06:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=XGGNWEQah0KHu21sUEN8XPvX4F0h3HLq4QIOaPKXQCE=; b=PKbyIA4E+h4Fc33D9d85GIaCmkn7wnS+3oLRAfD1ZF9E6cmCiqINR1wwfcTq6zq4qv GyNHwd4Wg2u3NLZXhneyx4qmGdMwVW0Rg9paBepENQdCOVFwXZbZIqXQR7w4zEScAw/5 ULhks76uiezpD8B8+vOOXWhHcu9+JatjNShQbFirsBFSFcW0oqfizcrdg0qaPQBML/nP me1I9Kdtht5N74TKefi1RbvOanVyoF1E2A9LJQYuI6A1u6L52s03lXonbpInnqZGmM6X PTXREHkMK4WtD/D1S1s8womDdX+sBm3PgJGqlcgHkQry12o3oAYNCERdh2H/Z0WcvV1C eEhw== MIME-Version: 1.0 X-Received: by 10.112.161.105 with SMTP id xr9mr1958050lbb.40.1380550008072; Mon, 30 Sep 2013 07:06:48 -0700 (PDT) Received: by 10.112.202.65 with HTTP; Mon, 30 Sep 2013 07:06:48 -0700 (PDT) In-Reply-To: <52497F30.70202@ice-sa.com> References: <260E16ED-D26E-4CD6-983C-CFE4E0BD1FD9@gopivotal.com> <52497877.9040909@ice-sa.com> <52497F30.70202@ice-sa.com> Date: Mon, 30 Sep 2013 16:06:48 +0200 Message-ID: Subject: Re: Apache HTTP + Tomcat + SSL From: =?ISO-8859-1?Q?C=E9dric_Couralet?= To: Tomcat Users List Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org Hi, 2013/9/30 Andr=E9 Warnier : > Hi. > [...] > The question is now : why does that application require HTTPS ? > An application usually doesn't care how it is accessed, except if some > configuration of the application requires it to get some information from > the SSL protocol (like a user certificate or so). What does this > application need ? > > I don't agree, the application should know how it is accessed, if only because some pages may require SSL (all page under an auth-constraint) and others not, and it should not be delegated to apache but required at the tomcat level. I really think that saying to an application "do not care about SSL it is our problem" will lead to all sort of security incomprehension in the future. Espcially when it is as easy as adding a valve in server.xml to do so (as said by Daniel Mikusa), or if it is an option, configuring AJP between tomcat and httpd, which then requires nothing on the tomcat side. C=E9dric --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org