tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Tomcat 7.0.56 - How to configure Tomcat/JRE 7u72 for client HTTPS Mutual Authentication connections
Date Thu, 08 Jan 2015 14:52:24 GMT
dmccrthy wrote:
> Hi,
> 
> Is it possible to configure or hack Tomcat in some way to intercept
> outbound HTTP URL requests from a deployed web application and convert them
> to HTTPS with Mutual Authentication?
> 
> My scenario is:
> 
> * 3rd party web application that makes client invocations to a server that
> requires HTTPS with Mutual Authentication
> * I don’t know what framework the web application uses or how it creates
> the HTTP client connections
> * I can’t make changes to the 3rd party application
> 
> I have investigated the below but they don’t seem to offer a solution
> 
> * Adding Custom Resource Factories -
> http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-
> <http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-howto.html>
> howto.html
> <http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-howto.html>.  This
> requires changes to the client application
> * HTTP connector - http://tomcat.apache.org/tomcat-7.0-doc/config/http.html..
> This is for the Tomcat web server, not for outbound client connections
> 
> I have successfully configured the server and can make SoapUI calls to it
> using HTTPS and Mutual Authentication. If I had control of the client code
> I would use HttpClient and accomplish it that way.
> 
> For the Tomcat client application I have searched Google, Stackoverflow,
> and the Tomcat wiki and mail archives but all HTTPS/Mutual Authentication
> solutions I can find refer to Tomcat as the web server, not to web
> applications making outbound connections from a Tomcat instance.
> 
> If there is no option to configure Tomcat then the only options I can think
> of are below, but if anyone has any other insights it would be much
> appreciated.
> 
> 1) Write a between the Tomcat “client” instance and the HTTPS/MA endpoint
> 2)  Find out the framework/socket factory/url connection factory the
> 3rdparty web app uses and override it with a Tomcat plugin
> 3)  Raise a feature request with the 3rd party vendor to support HTTPS/MA
> 

I don't know really about the "hacking Tomcat" option (but I believe that is not possible

in this case, because Tomcat is not involved at all in those connections which the webapp

is making "on the side").

This is what you could do outside of Tomcat (but it is some work) :

1) find out to what hostname:port that application is making a call.
Say for now that it is "server.company.com:8000".

2) in the "hosts" file of the Tomcat server, add an entry for that hostname, with IP 
address 127.0.0.1, like
127.0.0.1 server.company.com
(alternatively, you could use another valid IP of your Tomcat server)

3) on the Tomcat server, create a separate "proxy" process which listens on that IP and 
port 8000 for such HTTP requests, and forwards them via HTTPS to the real external 
host/port (while being careful not to create a loop via the hosts file - iow, if possible,

it should not do a DNS lookup for the external hostname "server.company.com", because it 
would get 127.0.0.1 as the IP address, and that would be self-defeating)

Of course then, the burden of the HTTPS/MA dialog falls on that process which you create.

Note that this approach is somewhat simplistic and flaky, and will only work if these 
external HTTP requests/responses are really simple, and the responses returned by the 
external server don't do things like re-directs elsewhere etc..

It would indeed be a lot better to ask the webapp provider to fix their code.

But also note that to simplify your life you may be able, for this separate "proxy" 
process, to use an already-existing piece of software such as an Apache httpd webserver 
(listening on localhost:8000) (*), or some utility that creates "tunnels"..

(*) or even a dedicated Tomcat instance, provided you find a webapp able to act as a 
HTTPS/MA proxy

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message