Re: JServ and SSL

Wed, 5 May 1999 08:15:23 -0700 

Tarang Patel wrote:

> >>>>> On Tue, 04 May 1999 13:04:49 -0700, "jon *" <[EMAIL PROTECTED]> said:
>
>     >> I have an appache running 80 and 443 (ssl).
>     >>
>     >> JServ woks great on 80, but how do I make jserv to run under 443?
>
>     jon> <https://www.server.com/servlets/Foo>
>
>   [Q] So how does one configure a "secure" servlets directory versus that which can
>       be accessed by sundry and all ?
>
>  Would something like this do it :
>
>  ApJServMount /servlets ajpv11://localhost:8443
>
>     Tarang
>

If by "secure" you mean using SSL, you are mixing up a couple of concepts.
Apache JServ operates in a "three tier" architecture (even if the JServ servlet engine
runs on the same machine as the web server):

    Browser <---- HTTP or SSL+HTTP ----> Apache <---- AJPv11 ----> JServ

The "SSL" stuff happens between the browser and Apache, and is transparent to JServ.
You need to configure Apache to support SSL (using Stronghold or whatever), and the
config of JServ is identical to that in a non-SSL environment.

The communications link between Apache and JServ is not encrypted, but it runs only
within your server (if JServ is on the same machine) or on your LAN (if it's on a
different machine).  There are security settings to disallow any connections to the
JServ port from the outside world, and you should protect that port with any firewall
capabilities you have as well.  But the AJPv11 protocol that is used does not support
encryption, and does not need to -- that's only an issue between the client browser
and the web server.

Another view of "security" is whether or not a servlet is password protected.  You can
ask Apache to secure a servlet by setting up a <LOCATION> directive in the httpd.conf
configuration, the same as you can for password protected directories.  You just
cannot use .htaccess files for this, because Apache never looks in any "real"
directory corresponding to /servlet/foo.  Thus, you can request servlets from an
SSL-linked browser (or not), using Apache-enforced username/password authentication
(or not), to a servlet without modifying your servlet installation at all.  These are
all Apache level issues.

Craig McClanahan




----------------------------------------------------------------
To subscribe:        [EMAIL PROTECTED]
To unsubscribe:      [EMAIL PROTECTED]
READ THE FAQ!!!!     <http://java.apache.org/faq/>
Archives and Other:  <http://java.apache.org/main/mail.html/>
Problems?:           [EMAIL PROTECTED]

Reply via email to