Thanks. One question. Any idea what the performance hit is for using apache
with mod_jk vs straight Tomcat.
John
On 1/25/07, Mark Diggory <[EMAIL PROTECTED]> wrote:
John,
It is mounted vi mod_jk, connector which allows apache to communicate with
tomcat directly. I left that out, those details are available in tomcats
server.xml. There are two configurations that you are hearing back from
Larry Stone and myself about.
1.) Use Apache and mod_jk in front of tomcat to handle http/https
requests. In which apache handles which port a request goes to ala URL
Rewrites/Redirects, tomcat listens via the mod_jk/ajp connector for
requests. This is a the solution usually taken in production environments
running tomcat. It allows the System Administrator to control the entire
request process and its behavior. There are many "mods" in Apache that can
do things like bandwidth filtering, redirecting and URL rewriting which are
difficult if not impossible to find for Tomcat directly. This solution does
not require having to recompile the dspace webapplication to administer
these aspects, it allows your System Admin to take control in this area
while your application developers deal with the web-application side.
2.) Use Tomcat to directly serve http/https and security constraints. This
requires rebuilding the war (or just editing the security constraint in
web.xml) to enforce this restriction. Note, you have open tomcat up on two
ports http and https You also need to hack the JSP's to redirect you back
out of https after your user is leaving a protected area.
This is why I choose the former solution, it is always in the hands of the
system administrator, who is the expert in this area and actualy needs to
control these security aspects of a service as the responsibility of his/her
position. It requires zero modification of the DSpace web-application JSPs
and configuration and thus is very easy to maintain across dspace
upgrades. Each solution has its nuances and complexities. You'll need
to evaluate for yourself, which seems most appropriate for your taste and
situation.
-Mark Diggory
On Jan 24, 2007, at 3:19 PM, John Preston wrote:
I see that you are redirecting to the apache https service. Where is the
tomcat server, I presume on 84343 port.
John
On 1/24/07, Mark Diggory < [EMAIL PROTECTED]> wrote:
>
> We accomplish this within our Apache httpd service in front of Tomcat.
> Basically I use mod_rewrite to force specific url's into http or https. (for
> example:
>
> ## SSL Virtual Host Context
> <VirtualHost 18.51.3.31:443>
>
>
> ...
>
> RewriteEngine on
>
> RewriteCond %{REQUEST_URI} !^/certificate-login.*
> RewriteCond %{REQUEST_URI} !^/password-login.*
> RewriteRule ^/(.*) http://%{HTTP_HOST}/$1 [L,R]
>
> ...
>
> </VirtualHost>
>
> <VirtualHost 18.51.3.31:80>
>
>
> ...
>
> RewriteEngine on
>
> RewriteCond %{REQUEST_URI} ^/certificate-login.* [OR]
> RewriteCond %{REQUEST_URI} ^/password-login.*
> RewriteRule ^/(.*) https://%{HTTP_HOST}:443/$1 [L,R]
>
>
>
> -Mark
>
>
> On Jan 24, 2007, at 2:15 PM, John Preston wrote:
>
> Can anyone tell me if it is possible to use https for just the login
> steps and regualr unsecured http to access my dspace site. I need to secure
> the login username/password phase but once logged in I want to use the
> regular http so it is as fast as possible.
>
>
> Mark R. Diggory
> ~~~~~~~~~~~~~
> DSpace Systems Manager
> MIT Libraries, Systems and Technology Services
> Massachusetts Institute of Technology
>
>
>
Mark R. Diggory
~~~~~~~~~~~~~
DSpace Systems Manager
MIT Libraries, Systems and Technology Services
Massachusetts Institute of Technology
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
DSpace-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-tech
