André Warnier wrote:
Hi List.
(Indirect ref : previous thread "Moving from a very old Tomcat to a new
Tomcat.")
Ref : http://tomcat.apache.org/connectors-doc/reference/apache.html
Item : JkExtractSSL
Do I understand this right that this parameter JkExtractSSL (default On)
controls whether Tomcat receives of not the information, through mod_jk,
that the original request to Apache was made via HTTPS ?
Yes. It controls this plus if info about certificate, ssl session id,
key length etc. gets forwarded.
Or, in other words, that if one wanted Tomcat "not to know" and handle
the current session as a normal non-secure HTTP connection, one could
just set this parameter to "Off" ?
Yes.
And, again in other words, if this parameter was set to Off, and Tomcat
generated a new session and a JSESSIONID session cookie for this
session, that the cookie would thus not be marked secure ?
Didn't try this. What does your tests say?
Additional info:
If your own knowledge about secure / non secure differs from the one of
httpd (e.g. you use an ssl accelerator in front of httpd) and you want
to present your own idea of secure / non secure via mod_jk to Tomcat,
you can set JkHTTPSIndicator to the name of some httpd environment
variable, and then set the environment variable depending on details of
the request via mod_setenvif or mod_rewrite.
But if you simply want to drop all ssl info, setting JkExtractSSL to off
is right.
---- maybe separately ----
It is possible, but not mandatory, to let Tomcat know about the HTTPS
nature of the original HTTPS nature of the browser/Apache connection.
This might be necessary/helpful in some scenarios (such as ?)
To be able to enforce security constraints.
If "JkExtractSSL On" is used, then one may/must also pass additional
HTTPS-related information from Apache to Tomcat via the
"JkHTTPSIndicator", "JkCERTSIndicator", et al. directives.
This is useful/required for (?)
First of all I think it's required by the servlet spec, so if we want to
present the developer a consistent environment either if using with
standalone Tomcat or mod_jk/Tomcat we need to forward the info to Tomcat.
The general gist is that if for some reason, it is necessary to have
Apache handle HTTPS connections anayway, and the connection between
Apache and Tomcat is inherently secure, then there might be no reasons
to "propagate" the HTTPS overhead to Tomcat, and one might as well
handle it all at the Apache level.
Or am I missing something ?
Be aware, that there might be other ways into your app, like the default
Tomcat http connector. If you are sure, you don't need the info and you
don't need to double check the security of the connection, you can
really disable using JkExtractSSL.
Regards,
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
