Hi, 2013/4/26 Jeffrey Janner <jeffrey.jan...@polydyne.com>: > Ok, I know I've been doing this for awhile and should probably know better, > but.... > > Since long ago (4.x?), at the guidance of some long-gone developers, I've > been adding the following to our app_context.xml file for instances where we > are expecting to use SSL protocol for communications. Note we are not using > SSL-Client-Authentication, which is what I've recently discovered this valve > actually implements. I actually use a security-constraint to force the > conversation to the SSL port. So with that background, am I getting any > beneficial side-effects from this, and, if so, is there a better way to get > the same results? > <Valve className="org.apache.catalina.authenticator.SSLAuthenticator" > securePagesWithPragma="false" />
If I'm not wrong , the authenticators are not called if the request is not constrained to an auth-constraint. If it was, you would need a client certificate to access your web app (ensured by that authenticator). So no in your case. > From the definition of the parameter, I am at least turning off some > IE-incompatible headers that control proxy-caching. Not even that, if you really have no auth-constraint then there is no justification to keep this authenticator in the context. > > FYI: Currently deployed on Tomcat 6.0.27 and higher, and starting the > transition to Tomcat 7.0.latest. > > Jeff > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
