On Mon, Apr 15, 2002 at 01:39:33PM -0400, Rich wrote:
> You would prefer to have the SSL handshake to occur with Apache, right? So
> I'm wondering, with Tomcat configured as a standalone SSL server are you
> sure that apache is doing the handshake, and not Tomcat.
notice the address that I give the SSL connector - 127.0.0.1 -- and I've
verfied that it's only listening on 127.0.0.1:8443 so yes, I'm sure that
Tomcat is not doing the handshake (plus I verified which cert I'm getting).
> -You can say that again. This might be the root of my SSL problem too,
> although hard to tell since we are using different apache modules and I use
> Tomcat's role based auth. I "kludged a fix in code" and am limited for time
> so may not attempt the exercise of getting Tomcat's SSL working.
I'm also using JDBCRealm authentication on Tomcat and I have:
tomcatAuthentication="true"
set in the AJP13 connector config stanza.
What would be ideal would be a programmatic way in a servlet to force
authentication rather than having to hard-code stuff via auth-constraint's in
web.xml.
Adi
> Rich
> -----Original Message-----
> From: Aditya [mailto:[EMAIL PROTECTED]]
> Sent: Monday, April 15, 2002 1:07 PM
> To: [EMAIL PROTECTED]
> Subject: Re: SSL redirects with mod_jk
>
>
> On Mon, Apr 15, 2002 at 09:26:40AM -0400, Rich wrote:
> > I'm curious about a few things. Why did you choose mod_jk over mod_webapp?
>
> - I needed to send everything Apache receives to Tomcat
>
> - We auto-add contexts to appbase and I don't need to update the config and
> restart apache each time that happens
>
> > And when you enabled the SSL connector, did you also add jsse and
> basically
> > configure tomcat as a standalone SSL enabled server?
>
> yes, in order to get Tomcat running with the SSL connector, it had to have
> jsse etc. -- for testing I'd already configured Tomcat with SSL standalone
> and
> a self-signed cert, and so that was straightforward.
>
> At this point it "works" but I had to make the non-intutive leap of adding
> the
> SSL connector and thought others might benefit from knowing about it.
>
> Thanks,
> Adi
>
> > -----Original Message-----
> > From: Aditya [mailto:[EMAIL PROTECTED]]
> > Sent: Sunday, April 14, 2002 3:47 PM
> > To: [EMAIL PROTECTED]
> > Subject: SSL redirects with mod_jk
> >
> >
> > I have apache 1.3+mod_ssl and mod_jk (ajp13) "fronting" a Tomcat 4.0.3
> > server
> > which has a servlet protected by:
> >
> > <user-data-constraint>
> > <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > </user-data-constraint>
> >
> > I assume that for performance reasons that it would be best if I could run
> > no
> > connectors other than the AJP13 one.
> >
> > Ideally, calls to the above servlet as http should be redirected to the
> > equivalent https page. To that end, I have, in my server.xml:
> >
> > <!-- Define an AJP 1.3 Connector on port 8009 -->
> > <Connector className="org.apache.ajp.tomcat4.Ajp13Connector"
> > port="8009" minProcessors="30" maxProcessors="150"
> > acceptCount="10" debug="0"
> > enableLookups="false" redirectPort="443"
> > secure="false" scheme="http"
> > address="127.0.0.1"
> > tomcatAuthentication="true"/>
> >
> > however the redirect won't work (Status 500 error) unless I put in an
> HTTPS
> > connector as well in server.xml (note that it doesn't have to be
> accessible
> > at
> > all, hence the 127.0.0.1 and port 8443 is blocked off so it doesn't seem
> to
> > play any part in the whole deal other than to signal to Tomcat that it can
> > handle redirects to SSL):
> >
> > <!-- Define an SSL HTTP/1.1 Connector on port 8443 -->
> > <Connector
> className="org.apache.catalina.connector.http.HttpConnector"
> > address="127.0.0.1" port="8443" minProcessors="5"
> > maxProcessors="75"
> > enableLookups="false"
> > acceptCount="10" debug="0" scheme="https" secure="true">
> > <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
> > clientAuth="false" protocol="TLS"
> > keystorePass="foo"/>
> > </Connector>
> >
> > (I tried putting in an additional ajp13 connector that mod_jk sent
> anything
> > that showed up as SSL to, but that didn't work).
> >
> > Is this how it's supposed to work? If so, it should be documented
> > somewhere...
> >
> > Thanks,
> > Adi
> >
> > --
> > To unsubscribe: <mailto:[EMAIL PROTECTED]>
> > For additional commands: <mailto:[EMAIL PROTECTED]>
> > Troubles with the list: <mailto:[EMAIL PROTECTED]>
> >
> >
>
> --
> To unsubscribe: <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
>
>
>
> --
> To unsubscribe: <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
>
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
