Re: secured authentication / connection

2007-08-01 Thread Hassan Schroeder
On 8/1/07, Pierre Goupil [EMAIL PROTECTED] wrote:

 The real question is a bit more weird. If I try  connect to my server on
 port 8443, but with just http protocol (no encryption) snip/

Then you're doing something utterly meaningless, and the file you
see is just the encrypted response from Tomcat.

The simple answer is don't do that  :-)

HTH,
-- 
Hassan Schroeder  [EMAIL PROTECTED]

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: secured authentication / connection

2007-08-01 Thread Pierre Goupil
Hello,

OK, I've done it : the SSL authentication of my tomcat server works pretty
fine. I'm currently using port 8443, though. But this is not my question.

The real question is a bit more weird. If I try  connect to my server on
port 8443, but with just http protocol (no encryption), Tomcat responds by
sending a file ! It is a .bin file which name is :

- either the context name of my request (for instance, if I ask
http://myserver.com/qwerty the file is called qwerty.bin)
- either a random (?) name if I ask the context name of my webapp.

Do you have an idea why  how to get rid of this, anyone ?

Cheers,

Pierre



2007/7/31, Pierre Goupil [EMAIL PROTECTED]:

 Ooops... Yes, definitely... But I still need the port 80 for my purely
 static (unencrypted) content. The connections to my webapp will be encrypted
 from end-to-end using its context name, but all the content accessible
 within the default context will be static.


 Pierre



 2007/7/31, David Smith [EMAIL PROTECTED]:
 
  Port 80 is for unencrypted traffic.  The default port for SSL (https
  protocol) is 443.
 
  --David
 
  Pierre Goupil wrote:
 
  I have some static HTML content. But I will handle it with Tomcat too,
  in
  order to ease things regarding my present need.
  
  So I will stick to Tomcat for SSL management and won't use Apache
  *Httpd*
  ;-) any more... Easy. As easy as my need in fact. Actually, my only
  sensitive need is to have SSL connections from end-to-end, as this is
  an
  application for a persons  goods security firm. I don't want to take
  any
  risk with this kind of data.
  
  I'm going to investigate the use of port 80 with tomcat, now !
  
  Thanx again !
  
  Pierre
  
  
  
  2007/7/31, Caldarale, Charles R  [EMAIL PROTECTED]:
  
  
  From: Pierre Goupil [mailto:[EMAIL PROTECTED]
  Subject: Re: secured authentication / connection
  
  But I still need Apache in front of it, in order
  to be able to use the port 80  this sort of things.
  
  
  Tomcat can quite happily use port 80; what else do you need httpd for?
 
  
  (We'll assume you mean httpd when you refer to Apache, since both
  Tomcat
  and httpd are Apache products.)
  
  - Chuck
  
  
  THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
  PROPRIETARY
  MATERIAL and is thus for use only by the intended recipient. If you
  received this in error, please contact the sender and delete the
  e-mail
  and its attachments from all computers.
  
  -
  To start a new topic, e-mail: users@tomcat.apache.org
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
  
  
  
  
  
  
  
  
 
 
  -
  To start a new topic, e-mail: users@tomcat.apache.org
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
 
 


 --
 Si le sang ne coule pas assez chaud dans tes veines,
 je le répandrais sur le sable pour qu'il bouille au soleil.

 (Maraxus de Kelde)




-- 
Si le sang ne coule pas assez chaud dans tes veines,
je le répandrais sur le sable pour qu'il bouille au soleil.

(Maraxus de Kelde)


Re: secured authentication / connection

2007-08-01 Thread Pierre Goupil
OK...

Thanks again to all of you for your time  attention !

Pierre



2007/8/1, Hassan Schroeder [EMAIL PROTECTED]:

 On 8/1/07, Pierre Goupil [EMAIL PROTECTED] wrote:

  The real question is a bit more weird. If I try  connect to my server
 on
  port 8443, but with just http protocol (no encryption) snip/

 Then you're doing something utterly meaningless, and the file you
 see is just the encrypted response from Tomcat.

 The simple answer is don't do that  :-)

 HTH,
 --
 Hassan Schroeder  [EMAIL PROTECTED]

 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]




-- 
Si le sang ne coule pas assez chaud dans tes veines,
je le répandrais sur le sable pour qu'il bouille au soleil.

(Maraxus de Kelde)


Re: secured authentication / connection

2007-07-31 Thread Mark Thomas
Pierre Goupil wrote:
 Hello all,
 
 On my webapp, I'm currently using a Tomcat-based form authentication. But I
 would like to switch to an encrypted authentication. And the long-term goal
 would be to have my users browse my webapp entirely with an https
 connection.
 
 Can anyone point me to a relevant tutorial ? I have found lot of
 information, indeed, but they are all either Apache-based (and I would like
 to rely entirely on Tomcat, regarding security features), either
 Tomcat-based but with form authentication only.

http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

Mark


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: secured authentication / connection

2007-07-31 Thread Caldarale, Charles R
 From: Pierre Goupil [mailto:[EMAIL PROTECTED] 
 Subject: secured authentication / connection
 
 Can anyone point me to a relevant tutorial ?

Besides configuring SSL as Mark T pointed out, you need to read section
12 of the servlet spec:
http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index.html

Section 12.5.3 is specifically for form-based authentication.

To force SSL for everything, use a transport-guarantee of CONFIDENTIAL
in conjunction with a url-pattern of /* in your app's WEB-INF/web.xml
file.  For example:
  security-constraint
web-resource-collection
  web-resource-nameProtect Everything/web-resource-name
  url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
   role-nameRequiredRoleHere/role-name
/auth-constraint
user-data-constraint
  transport-guaranteeCONFIDENTIAL/transport-guarantee
/user-data-constraint
  /security-constraint

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: secured authentication / connection

2007-07-31 Thread Pierre Goupil
Erf... It wasn't especially out of my reach. But (as many, I presume), when
I'm looking for info, I tend to google around, where there is info fresh
from the source...

Thanks to both of you and I will try to use more the official documentation,
in the future.

Cheers,

Pierre



2007/7/31, Caldarale, Charles R [EMAIL PROTECTED]:

  From: Pierre Goupil [mailto:[EMAIL PROTECTED]
  Subject: secured authentication / connection
 
  Can anyone point me to a relevant tutorial ?

 Besides configuring SSL as Mark T pointed out, you need to read section
 12 of the servlet spec:
 http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index.html

 Section 12.5.3 is specifically for form-based authentication.

 To force SSL for everything, use a transport-guarantee of CONFIDENTIAL
 in conjunction with a url-pattern of /* in your app's WEB-INF/web.xml
 file.  For example:
   security-constraint
 web-resource-collection
   web-resource-nameProtect Everything/web-resource-name
   url-pattern/*/url-pattern
 /web-resource-collection
 auth-constraint
role-nameRequiredRoleHere/role-name
 /auth-constraint
 user-data-constraint
   transport-guaranteeCONFIDENTIAL/transport-guarantee
 /user-data-constraint
   /security-constraint

 - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail
 and its attachments from all computers.

 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]




-- 
Si le sang ne coule pas assez chaud dans tes veines,
je le répandrais sur le sable pour qu'il bouille au soleil.

(Maraxus de Kelde)


Re: secured authentication / connection

2007-07-31 Thread Pierre Goupil
Quote from the Tomcat doc :

***
It is important to note that configuring Tomcat to take advantage of secure
sockets is usually only necessary when running it as a stand-alone web
server. When running Tomcat primarily as a Servlet/JSP container behind
another web server, such as Apache or Microsoft IIS, it is usually necessary
to configure the primary web server to handle the SSL connections from
users. Typically, this server will negotiate all SSL-related functionality,
then pass on any requests destined for the Tomcat container only after
decrypting those requests.
***

I'm using Tomcat 5.5, Apache 2.0.55  mod_jk 1.2.18. I'd really like to
manage my SSL from within Tomcat, mainly because I feel more comfortable
with it than with Apache. But I still need Apache in front of it, in order
to be able to use the port 80  this sort of things.

Does this mean that I can, but that I will then have to configure my Apache
/ jk a bit more than with straight-forward http connections ? How to do this
?

Cheers,

Pierre


Re: secured authentication / connection

2007-07-31 Thread David Smith


SSL as a protocol is not designed to allow for this sort of 
man-in-the-middle configuration.  Either tomcat handles the ssl and 
listens on port 443 or Apache httpd handles the ssl and listens on 443.


--David

Pierre Goupil wrote:


Quote from the Tomcat doc :

***
It is important to note that configuring Tomcat to take advantage of secure
sockets is usually only necessary when running it as a stand-alone web
server. When running Tomcat primarily as a Servlet/JSP container behind
another web server, such as Apache or Microsoft IIS, it is usually necessary
to configure the primary web server to handle the SSL connections from
users. Typically, this server will negotiate all SSL-related functionality,
then pass on any requests destined for the Tomcat container only after
decrypting those requests.
***

I'm using Tomcat 5.5, Apache 2.0.55  mod_jk 1.2.18. I'd really like to
manage my SSL from within Tomcat, mainly because I feel more comfortable
with it than with Apache. But I still need Apache in front of it, in order
to be able to use the port 80  this sort of things.

Does this mean that I can, but that I will then have to configure my Apache
/ jk a bit more than with straight-forward http connections ? How to do this
?

Cheers,

Pierre

 




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: secured authentication / connection

2007-07-31 Thread Caldarale, Charles R
 From: Pierre Goupil [mailto:[EMAIL PROTECTED] 
 Subject: Re: secured authentication / connection
 
 But I still need Apache in front of it, in order
 to be able to use the port 80  this sort of things.

Tomcat can quite happily use port 80; what else do you need httpd for?

(We'll assume you mean httpd when you refer to Apache, since both Tomcat
and httpd are Apache products.)

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: secured authentication / connection

2007-07-31 Thread Pierre Goupil
I have some static HTML content. But I will handle it with Tomcat too, in
order to ease things regarding my present need.

So I will stick to Tomcat for SSL management and won't use Apache *Httpd*
;-) any more... Easy. As easy as my need in fact. Actually, my only
sensitive need is to have SSL connections from end-to-end, as this is an
application for a persons  goods security firm. I don't want to take any
risk with this kind of data.

I'm going to investigate the use of port 80 with tomcat, now !

Thanx again !

Pierre



2007/7/31, Caldarale, Charles R [EMAIL PROTECTED]:

  From: Pierre Goupil [mailto:[EMAIL PROTECTED]
  Subject: Re: secured authentication / connection
 
  But I still need Apache in front of it, in order
  to be able to use the port 80  this sort of things.

 Tomcat can quite happily use port 80; what else do you need httpd for?

 (We'll assume you mean httpd when you refer to Apache, since both Tomcat
 and httpd are Apache products.)

 - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail
 and its attachments from all computers.

 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]




-- 
Si le sang ne coule pas assez chaud dans tes veines,
je le répandrais sur le sable pour qu'il bouille au soleil.

(Maraxus de Kelde)


Re: secured authentication / connection

2007-07-31 Thread David Smith
Port 80 is for unencrypted traffic.  The default port for SSL (https 
protocol) is 443.


--David

Pierre Goupil wrote:


I have some static HTML content. But I will handle it with Tomcat too, in
order to ease things regarding my present need.

So I will stick to Tomcat for SSL management and won't use Apache *Httpd*
;-) any more... Easy. As easy as my need in fact. Actually, my only
sensitive need is to have SSL connections from end-to-end, as this is an
application for a persons  goods security firm. I don't want to take any
risk with this kind of data.

I'm going to investigate the use of port 80 with tomcat, now !

Thanx again !

Pierre



2007/7/31, Caldarale, Charles R [EMAIL PROTECTED]:
 


From: Pierre Goupil [mailto:[EMAIL PROTECTED]
Subject: Re: secured authentication / connection

But I still need Apache in front of it, in order
to be able to use the port 80  this sort of things.
 


Tomcat can quite happily use port 80; what else do you need httpd for?

(We'll assume you mean httpd when you refer to Apache, since both Tomcat
and httpd are Apache products.)

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


   




 




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: secured authentication / connection

2007-07-31 Thread Pierre Goupil
Ooops... Yes, definitely... But I still need the port 80 for my purely
static (unencrypted) content. The connections to my webapp will be encrypted
from end-to-end using its context name, but all the content accessible
within the default context will be static.


Pierre



2007/7/31, David Smith [EMAIL PROTECTED]:

 Port 80 is for unencrypted traffic.  The default port for SSL (https
 protocol) is 443.

 --David

 Pierre Goupil wrote:

 I have some static HTML content. But I will handle it with Tomcat too, in
 order to ease things regarding my present need.
 
 So I will stick to Tomcat for SSL management and won't use Apache *Httpd*
 ;-) any more... Easy. As easy as my need in fact. Actually, my only
 sensitive need is to have SSL connections from end-to-end, as this is
 an
 application for a persons  goods security firm. I don't want to take any
 risk with this kind of data.
 
 I'm going to investigate the use of port 80 with tomcat, now !
 
 Thanx again !
 
 Pierre
 
 
 
 2007/7/31, Caldarale, Charles R [EMAIL PROTECTED]:
 
 
 From: Pierre Goupil [mailto:[EMAIL PROTECTED]
 Subject: Re: secured authentication / connection
 
 But I still need Apache in front of it, in order
 to be able to use the port 80  this sort of things.
 
 
 Tomcat can quite happily use port 80; what else do you need httpd for?
 
 (We'll assume you mean httpd when you refer to Apache, since both Tomcat
 and httpd are Apache products.)
 
 - Chuck
 
 
 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail
 and its attachments from all computers.
 
 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 
 
 
 
 
 
 
 


 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]




-- 
Si le sang ne coule pas assez chaud dans tes veines,
je le répandrais sur le sable pour qu'il bouille au soleil.

(Maraxus de Kelde)