-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt,
On 1/22/2010 5:09 PM, Matt Turner wrote: > In between times I tried the ProxyPass which seems to work fine, but I'd much > rather use plain AJP so I'll try that next. AJP is the protocol used by both mod_jk and mod_proxy_ajp (which is what you get if you use ProxyPass with an ajp:// URL). Which one depends on your requirements: mod_proxy_ajp is bundled with Aapche httpd and therefore has (usually) no additional compilation and/or configuration to perform. Also, all configuration for URL mapping, etc. occurs within httpd.conf. mod_jk is separate and should be compiled on the target system, which is inconvenient for some users. mod_jk is much older and had therefore undergone much more in the way of testing in the wild. While configuration can be done in httpd.conf, historically it's always been done in an external file with a proprietary format, which increases complexity. In my experience, mod_jk is better with complex configurations than mod_proxy_ajp, but mod_proxy_ajp is much more convenient for simple configurations. > I've had problems previously getting CAS working where the SSL is > handled by the webserver - however from what everyone has said and > having read around the issue a bit more, it does sound like using AJP > ought to work, so long as Apache is configured to pass through all the > relevant SSL and cert. info to tomcat (presumably so that isSecure() can > work, plus I think CAS validates certificates too). This will work: I've recently been playing around with client certificates passed-through Apache httpd and it worked quite well once the stars aligned for me (and I upgraded certain components that had known issues with SSL cert chains). I had Apache httpd validate the certs and then pass them through to Tomcat, where I performed a manual certification-checking process as a double-check as well as to pull some information from the cert for identification purposes. Good luck, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktdxAUACgkQ9CaO5/Lv0PA80wCeIPVTty+amdv3Nuj2pdI1n6Vh wloAnjU7hz7RkhYH/24YfdW7ARdH3lxL =J/l8 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org