you'll need to configure Apache mod_ssl to implement either Basic or SSLRequire authentication http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#arbitraryclients
with regards to external hosts i would suggest you deny all and allow secure access to only TC host to the secure folder of apache Buena Suerte, Martin ______________________________________________ Porfavor..no altere ni interrumptir esta communicacion..Gracias > From: joan....@gmail.com > Date: Fri, 28 Sep 2012 13:20:05 +0200 > Subject: Security issue regarding JSESSIONID cookie > To: users@tomcat.apache.org > > Hi, > > I have a security issue (hijack session) with JSESSIONID cookie, > > here is the problem: > > I am using an architecture with an Apache2 server in front of Tomcat, I > have configured the SSL in both sides Apache(ssl_module) and > Tomcat(Conectors JSSE), > > 1) I tried using a connectio via AJP protocol to connect between Apache2 > and Tomcat using the following configuration on the server.xml: > > APACHE(httpd) > via HTTP/HTTPS > <VirtualHost *:80> > ProxyPass / http://localhost:8080/ <http://educaixahost:8080/> > ProxyPassReverse / http://localhost:8080/ <http://educaixahost:8080/> > </VirtualHost> > > via AJP > <VirtualHost *:80> > ProxyPass / ajp://localhost:8009/ <http://educaixahost:8080/> > ProxyPassReverse / ajp://localhost:8009/ <http://educaixahost:8080/> > </VirtualHost> > > <VirtualHost *:443> > ServerAdmin ad...@mail.com > ServerName localhost:443 > SSLProxyEngine on > SSLEngine on > SSLCertificateFile "c:/usr/SSL/name.crt" > SSLCertificateKeyFile "c:/usr/SSL/name.key" > ProxyPass / https://localhost:8443/ > ProxyPassReverse / https://localhost:8443/ > </VirtualHost> > > Tomcat (server.xml) > > <Connector URIEncoding="UTF-8" connectionTimeout="20000" port="8080" > protocol="HTTP/1.1" redirectPort="8443" secure="true"/> > <Connector URIEncoding="UTF-8" port="8009" protocol="AJP/1.3" > redirectPort="8443" scheme="https" secure="true"/> > > Results for this solution: > I still can get the JSESSIONID cookie > > 2) I tried using the HTTP/S protocol to connect between Apache2 and > tomcat using the following configurationl: > > Apache: > Same configuration > > Tomcat (server.xml): > > <Connector URIEncoding="UTF-8" connectionTimeout="20000" port="8080" > protocol="HTTP/1.1" redirectPort="8443"/> > > <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" > maxThreads="150" scheme="https" secure="true" > keystoreFile="path/name.keystore" keystorePass="password" > clientAuth="false" sslProtocol="TLS" /> > > I also added this on the web.xml: > > <session-config> > <session-timeout>30</session-timeout> > <tracking-mode>SSL</tracking-mode> > </session-config> > > Results for this solution: > > The JSESSIONID cookie disappears OK > Everything works OK if I access directly to the tomcat and bypass the > apache, (localhost:8443), I can login into the web page and keep the > seesion in every link inside the app > > but, when try to access trought the Apache in https in port 443 , ( > https://localhost:443 <https://localhost/>), I can login the first time but > when I try to access somewhere else in the app I lose the user session and > the app log me out, I checked over the logs and there are no error neither > in apache nor tomcat > > So, Is this solution implementable under this architecture? > Am I missing some configurations? > > Thanks and regards, > Joan Morales
