>Is the "Connector-over-SLL" issue even addressed by the spec? If the
>front-end web server is handling all of the authentication, then isn't
>securing the connectors simply securing the communication channel,
>having nothing to do with authentication?
I doubt the connector case (web-server to tomcat) was ever
discussed on spec )
>I could be wrong, I'm just asking. If the Tomcat container
>itself is not
>involved in the authentication process, one would not expect that a
>webapp has access to the client cert anyway. Is that right?
Since WebServer (a least apache+mod_ssl) could allready handle
the strong authentification (requires + level of chain to check),
couldn't we just have in ajp13 the client cert which will allow
developper extract needed information for client cert, known
that the authentification is done elsewhere...
Any serious site will have a dedicated web-server handling the
SSL workload (in native code).
Best choice is Apache/SSL or Apache-mod_ssl with openssl, all
being 100% OpenSource :)
PS: Did Sun will ever opensourced JSSE ? Could someone here
do some lobbying ?
It could be a project donated to jakarta or may be
the solution could came from Cryptix :)
