Provided you add this mod_ssl directive to your apache configuration SSLOptions +ExportCertData mod_jk does forward the certData to the tomcat backend server.
I add my 2 cents to the debate : Apache httpd is a an http server. Tomcat is an application server with an http connector : It's not tomcat's main objectiv to serve http static resources, it's Apache httpd's. Therefore, you'll have much more possibilities handling and securing http requests on Apache httpd than you'll have with Tomcat. Furthermore, with heavy web traffic you need to lighten the load on your Tomcat, so it's good pratice to have your static files (html, images, css...) served by the Apache httpd and have only the dynamic resources forwarded to the tomcat. In development environment though, a standalone tomcat is perfect... -Romain [EMAIL PROTECTED] a écrit : > Thank you for you answers. > > As you are speaking about SSL, do you know if client certificats are > forwarded to CAS X509 handler when Tomecat is behind the Apache/mod_jk > or Apache/mod_proxy_ajp ? > > Stéphane > > On 7/24/08, Andrew Ralph Feller, afelle1 <[EMAIL PROTECTED]> wrote: >> For those who need to support Java applications along with PHP / Perl >> applications, they could host both from the same machine by having Apache >> httpd front-end Apache Tomcat. There is a another reason why some people >> use mod_jk + Tomcat: inexperience in managing Tomcat. When I was starting >> out, I hated working with keystores as it wasn¹t nearly as straight forward >> as Apache httpd¹s mod_ssl configuration. Once I found how to setup the >> Apache Portable Runtime in Tomcat, then I felt comfortable not having Tomcat >> front-ended as the APR configuration is extremely similar to mod_ssl. >> >> On a tangential note, there is an alternative to mod_jk called >> mod_proxy_ajp, which comes with Apache httpd 2.2 and works in a similar >> manner. >> >> >> On 7/24/08 6:12 AM, "Siegfried Puchbauer" <[EMAIL PROTECTED]> >> wrote: >> >>> You can gain a lot of flexibility when you choose to use Apache in front >>> of >>> your Tomcat backend. For example a very flexible way to perform name-based >>> virtual hosting. Also mod_rewrite is great to perform dynamic redirects >>> using >>> regexes. And the reverse-proxy capabilities by mod_proxy are also very >>> useful >>> - especially when using other application in the same url-space. You can >>> also >>> use it to display a service unavailibilty information when you >>> upgrade/restart >>> you tomcat. If you do not have the need of rewriteing urls, perform >>> virtual-hosting there is IMHO no reason to not choose a standalone tomcat. >>> >>> Cheers, sigi >>> _______________________ >>> Siegfried Puchbauer >>> http://siegfried.puchbauer.com/ >>> >>> On Thu, Jul 24, 2008 at 11:55, Stéphane Gully <[EMAIL PROTECTED]> >>> wrote: >>>> Hello, >>>> >>>> This is a generic question, not directly related to CAS. I'm sorry for >>>> that. >>>> Google didn't helped me so I try here. >>>> >>>> When I installed CAS, I had the choice to deploy it directly in Tomcat >>>> or in Apache/mod_jk+Tomcat. I chosed to deploy it directly in Tomcat >>>> because I needed X509 authentication handler and it just looked more >>>> easy to configure directly in Tomcat. >>>> >>>> I often read that mod_jk should be used but I never know why ? could >>>> someone tell me the reason(s) ? >>>> >>>> regards, >>>> -- >>>> Stéphane GULLY >>>> _______________________________________________ >>>> Yale CAS mailing list >>>> [email protected] >>>> http://tp.its.yale.edu/mailman/listinfo/cas >>> >>> >>> _______________________________________________ >>> Yale CAS mailing list >>> [email protected] >>> http://tp.its.yale.edu/mailman/listinfo/cas >> -- >> Andrew R. Feller, Analyst >> Information Technology Services >> 200 Fred Frey Building >> Louisiana State University >> Baton Rouge, LA 70803 >> (225) 578-3737 (Office) >> (225) 578-6400 (Fax) >> >> > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
