*Andre wrote: The above is assuming that you would want all accesses which eventually go to Tomcat, to be under SSL from the client point of view. The idea is : SSL creates an overhead (encryption). If the link between Apache and Tomcat is secure (such as, they both run on the same host, or they run on separate hosts, but both inside of your secure network), then you do not want to have an additional overhead by encrypting/decrypting the communications between Apache and Tomcat.*
This is true. Next question then. Is there a way to make just the login page (login.jsp) go through the SSL and nothing more? On Tue, Aug 4, 2009 at 4:18 PM, André Warnier <a...@ice-sa.com> wrote: > Josh Gooding wrote: > >> Update: >> >> So after re-re-reading the docs, since TC is not my standalone webserver, >> I >> should configure Apache (httpd) for SSL. That seems to be what I am >> reading. >> > > Yes. > > Client -> SSL -> Apache -> Ap/To Connector -> non-SSL -> Tomcat > (e.g. mod_jk) AJP Connector > > The above is assuming that you would want all accesses which eventually go > to Tomcat, to be under SSL from the client point of view. > The idea is : SSL creates an overhead (encryption). If the link between > Apache and Tomcat is secure (such as, they both run on the same host, or > they run on separate hosts, but both inside of your secure network), then > you do not want to have an additional overhead by encrypting/decrypting the > communications between Apache and Tomcat. > > Second point of interest : > if, in the Tomcat <Connector> which accepts the requests from Apache, you > set the attribute "tomcatAuthentication=false", then Tomcat will "believe" > the user-id it gets from Apache, as being already authenticated by Apache, > and will use it within Tomcat as the user-id. > > Now you have thus moved the authentication issue back to Apache. > > Let's forget SSL for a minute. > Under Apache, you want to protect access to some or all areas of the server > (including the requests which you are going to forward to Tomcat), in such a > way that the user must be authenticated to access these areas. > There are different methods under Apache to force the user to authenticate. > If you want to do it via your own login page though, then you will have to > find an Apache add-on module which allows you to do that, because it is not > built-in. > This, you should enquire about on the Apache httpd user's list. > > Let's now re-add SSL. > > In addition to the above, you would like the login dialog (login page and > client response to that login page) to happen under SSL, and the rest of the > conversation not. > That is not so easy as it may sound however. > So, when you enquire about a login page authentication method (on the > Apache httpd user's forum), you should make sure that you specify this > requirement clearly. > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
