Re: secured authentication / connection
On 8/1/07, Pierre Goupil [EMAIL PROTECTED] wrote: The real question is a bit more weird. If I try connect to my server on port 8443, but with just http protocol (no encryption) snip/ Then you're doing something utterly meaningless, and the file you see is just the encrypted response from Tomcat. The simple answer is don't do that :-) HTH, -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: secured authentication / connection
Hello, OK, I've done it : the SSL authentication of my tomcat server works pretty fine. I'm currently using port 8443, though. But this is not my question. The real question is a bit more weird. If I try connect to my server on port 8443, but with just http protocol (no encryption), Tomcat responds by sending a file ! It is a .bin file which name is : - either the context name of my request (for instance, if I ask http://myserver.com/qwerty the file is called qwerty.bin) - either a random (?) name if I ask the context name of my webapp. Do you have an idea why how to get rid of this, anyone ? Cheers, Pierre 2007/7/31, Pierre Goupil [EMAIL PROTECTED]: Ooops... Yes, definitely... But I still need the port 80 for my purely static (unencrypted) content. The connections to my webapp will be encrypted from end-to-end using its context name, but all the content accessible within the default context will be static. Pierre 2007/7/31, David Smith [EMAIL PROTECTED]: Port 80 is for unencrypted traffic. The default port for SSL (https protocol) is 443. --David Pierre Goupil wrote: I have some static HTML content. But I will handle it with Tomcat too, in order to ease things regarding my present need. So I will stick to Tomcat for SSL management and won't use Apache *Httpd* ;-) any more... Easy. As easy as my need in fact. Actually, my only sensitive need is to have SSL connections from end-to-end, as this is an application for a persons goods security firm. I don't want to take any risk with this kind of data. I'm going to investigate the use of port 80 with tomcat, now ! Thanx again ! Pierre 2007/7/31, Caldarale, Charles R [EMAIL PROTECTED]: From: Pierre Goupil [mailto:[EMAIL PROTECTED] Subject: Re: secured authentication / connection But I still need Apache in front of it, in order to be able to use the port 80 this sort of things. Tomcat can quite happily use port 80; what else do you need httpd for? (We'll assume you mean httpd when you refer to Apache, since both Tomcat and httpd are Apache products.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Si le sang ne coule pas assez chaud dans tes veines, je le répandrais sur le sable pour qu'il bouille au soleil. (Maraxus de Kelde) -- Si le sang ne coule pas assez chaud dans tes veines, je le répandrais sur le sable pour qu'il bouille au soleil. (Maraxus de Kelde)
Re: secured authentication / connection
OK... Thanks again to all of you for your time attention ! Pierre 2007/8/1, Hassan Schroeder [EMAIL PROTECTED]: On 8/1/07, Pierre Goupil [EMAIL PROTECTED] wrote: The real question is a bit more weird. If I try connect to my server on port 8443, but with just http protocol (no encryption) snip/ Then you're doing something utterly meaningless, and the file you see is just the encrypted response from Tomcat. The simple answer is don't do that :-) HTH, -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Si le sang ne coule pas assez chaud dans tes veines, je le répandrais sur le sable pour qu'il bouille au soleil. (Maraxus de Kelde)
Re: secured authentication / connection
Pierre Goupil wrote: Hello all, On my webapp, I'm currently using a Tomcat-based form authentication. But I would like to switch to an encrypted authentication. And the long-term goal would be to have my users browse my webapp entirely with an https connection. Can anyone point me to a relevant tutorial ? I have found lot of information, indeed, but they are all either Apache-based (and I would like to rely entirely on Tomcat, regarding security features), either Tomcat-based but with form authentication only. http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: secured authentication / connection
From: Pierre Goupil [mailto:[EMAIL PROTECTED] Subject: secured authentication / connection Can anyone point me to a relevant tutorial ? Besides configuring SSL as Mark T pointed out, you need to read section 12 of the servlet spec: http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index.html Section 12.5.3 is specifically for form-based authentication. To force SSL for everything, use a transport-guarantee of CONFIDENTIAL in conjunction with a url-pattern of /* in your app's WEB-INF/web.xml file. For example: security-constraint web-resource-collection web-resource-nameProtect Everything/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameRequiredRoleHere/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: secured authentication / connection
Erf... It wasn't especially out of my reach. But (as many, I presume), when I'm looking for info, I tend to google around, where there is info fresh from the source... Thanks to both of you and I will try to use more the official documentation, in the future. Cheers, Pierre 2007/7/31, Caldarale, Charles R [EMAIL PROTECTED]: From: Pierre Goupil [mailto:[EMAIL PROTECTED] Subject: secured authentication / connection Can anyone point me to a relevant tutorial ? Besides configuring SSL as Mark T pointed out, you need to read section 12 of the servlet spec: http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index.html Section 12.5.3 is specifically for form-based authentication. To force SSL for everything, use a transport-guarantee of CONFIDENTIAL in conjunction with a url-pattern of /* in your app's WEB-INF/web.xml file. For example: security-constraint web-resource-collection web-resource-nameProtect Everything/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameRequiredRoleHere/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Si le sang ne coule pas assez chaud dans tes veines, je le répandrais sur le sable pour qu'il bouille au soleil. (Maraxus de Kelde)
Re: secured authentication / connection
Quote from the Tomcat doc : *** It is important to note that configuring Tomcat to take advantage of secure sockets is usually only necessary when running it as a stand-alone web server. When running Tomcat primarily as a Servlet/JSP container behind another web server, such as Apache or Microsoft IIS, it is usually necessary to configure the primary web server to handle the SSL connections from users. Typically, this server will negotiate all SSL-related functionality, then pass on any requests destined for the Tomcat container only after decrypting those requests. *** I'm using Tomcat 5.5, Apache 2.0.55 mod_jk 1.2.18. I'd really like to manage my SSL from within Tomcat, mainly because I feel more comfortable with it than with Apache. But I still need Apache in front of it, in order to be able to use the port 80 this sort of things. Does this mean that I can, but that I will then have to configure my Apache / jk a bit more than with straight-forward http connections ? How to do this ? Cheers, Pierre
Re: secured authentication / connection
SSL as a protocol is not designed to allow for this sort of man-in-the-middle configuration. Either tomcat handles the ssl and listens on port 443 or Apache httpd handles the ssl and listens on 443. --David Pierre Goupil wrote: Quote from the Tomcat doc : *** It is important to note that configuring Tomcat to take advantage of secure sockets is usually only necessary when running it as a stand-alone web server. When running Tomcat primarily as a Servlet/JSP container behind another web server, such as Apache or Microsoft IIS, it is usually necessary to configure the primary web server to handle the SSL connections from users. Typically, this server will negotiate all SSL-related functionality, then pass on any requests destined for the Tomcat container only after decrypting those requests. *** I'm using Tomcat 5.5, Apache 2.0.55 mod_jk 1.2.18. I'd really like to manage my SSL from within Tomcat, mainly because I feel more comfortable with it than with Apache. But I still need Apache in front of it, in order to be able to use the port 80 this sort of things. Does this mean that I can, but that I will then have to configure my Apache / jk a bit more than with straight-forward http connections ? How to do this ? Cheers, Pierre - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: secured authentication / connection
From: Pierre Goupil [mailto:[EMAIL PROTECTED] Subject: Re: secured authentication / connection But I still need Apache in front of it, in order to be able to use the port 80 this sort of things. Tomcat can quite happily use port 80; what else do you need httpd for? (We'll assume you mean httpd when you refer to Apache, since both Tomcat and httpd are Apache products.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: secured authentication / connection
I have some static HTML content. But I will handle it with Tomcat too, in order to ease things regarding my present need. So I will stick to Tomcat for SSL management and won't use Apache *Httpd* ;-) any more... Easy. As easy as my need in fact. Actually, my only sensitive need is to have SSL connections from end-to-end, as this is an application for a persons goods security firm. I don't want to take any risk with this kind of data. I'm going to investigate the use of port 80 with tomcat, now ! Thanx again ! Pierre 2007/7/31, Caldarale, Charles R [EMAIL PROTECTED]: From: Pierre Goupil [mailto:[EMAIL PROTECTED] Subject: Re: secured authentication / connection But I still need Apache in front of it, in order to be able to use the port 80 this sort of things. Tomcat can quite happily use port 80; what else do you need httpd for? (We'll assume you mean httpd when you refer to Apache, since both Tomcat and httpd are Apache products.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Si le sang ne coule pas assez chaud dans tes veines, je le répandrais sur le sable pour qu'il bouille au soleil. (Maraxus de Kelde)
Re: secured authentication / connection
Port 80 is for unencrypted traffic. The default port for SSL (https protocol) is 443. --David Pierre Goupil wrote: I have some static HTML content. But I will handle it with Tomcat too, in order to ease things regarding my present need. So I will stick to Tomcat for SSL management and won't use Apache *Httpd* ;-) any more... Easy. As easy as my need in fact. Actually, my only sensitive need is to have SSL connections from end-to-end, as this is an application for a persons goods security firm. I don't want to take any risk with this kind of data. I'm going to investigate the use of port 80 with tomcat, now ! Thanx again ! Pierre 2007/7/31, Caldarale, Charles R [EMAIL PROTECTED]: From: Pierre Goupil [mailto:[EMAIL PROTECTED] Subject: Re: secured authentication / connection But I still need Apache in front of it, in order to be able to use the port 80 this sort of things. Tomcat can quite happily use port 80; what else do you need httpd for? (We'll assume you mean httpd when you refer to Apache, since both Tomcat and httpd are Apache products.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: secured authentication / connection
Ooops... Yes, definitely... But I still need the port 80 for my purely static (unencrypted) content. The connections to my webapp will be encrypted from end-to-end using its context name, but all the content accessible within the default context will be static. Pierre 2007/7/31, David Smith [EMAIL PROTECTED]: Port 80 is for unencrypted traffic. The default port for SSL (https protocol) is 443. --David Pierre Goupil wrote: I have some static HTML content. But I will handle it with Tomcat too, in order to ease things regarding my present need. So I will stick to Tomcat for SSL management and won't use Apache *Httpd* ;-) any more... Easy. As easy as my need in fact. Actually, my only sensitive need is to have SSL connections from end-to-end, as this is an application for a persons goods security firm. I don't want to take any risk with this kind of data. I'm going to investigate the use of port 80 with tomcat, now ! Thanx again ! Pierre 2007/7/31, Caldarale, Charles R [EMAIL PROTECTED]: From: Pierre Goupil [mailto:[EMAIL PROTECTED] Subject: Re: secured authentication / connection But I still need Apache in front of it, in order to be able to use the port 80 this sort of things. Tomcat can quite happily use port 80; what else do you need httpd for? (We'll assume you mean httpd when you refer to Apache, since both Tomcat and httpd are Apache products.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Si le sang ne coule pas assez chaud dans tes veines, je le répandrais sur le sable pour qu'il bouille au soleil. (Maraxus de Kelde)
