On Thu, 31 Oct 2002, Turner, John wrote: > If you are using Tomcat + Apache, the activity between Tomcat and > Apache on the connector is not secure. It is not encrypted. > > SSL Request -> Apache -> Decrypted by Apache -> Sent to Connector -> > Sent to Tomcat on Connector port -> reply back to Apache -> Response > encrypted by Apache -> SSL Response to Client > > As far as Tomcat is concerned, the request isn't secure...all Tomcat > sees is a typical request on a connector port. Perhaps there is > some code in isSecure() that can differentiate, but I would be > surprised if there was.
Surprise! The isSecure() check (as well as getScheme()) refers to the original request. So, all of what you say otherwise is correct, but isSecure() (and getScheme()) should reflect what was true of the original request, whether it came to Apache or Tomcat. I verified this using SnoopServlet in the Tomcat distrib examples context. On a machine I have, I have that available to both my http and https web server hosts/instances. Then I tried the URLs: http://www.machinename.com//examples/snoop https://www.machinename.com//examples/snoop (snoop is mapped to SnoopServlet in the examples context web.xml file.) For the first URL, "Scheme" (which shows the value of getScheme()) was "http", and "Request Is Secure" (which shows the value of isSecure()) was "false". For the second, the values were "https" and "true", respectively. Now, one caveat I'll add is that this is with 4.0.4. I imagine it's possible that this behavior changed between versions. But it would seem an odd change, because it's a major change to a basic behavior (and one that I think goes against the spec). Further, some tomcat-dev people post to this list, so I would've thought they'd have commented if this were the case. I didn't respond directly to Randy's note because I didn't have any idea what might be causing the problem. It's possible that there is some configuration that needs to be set to get this behavior. But from a quick glance at my configuration, I didn't see what that might be. Oh, I just did a search of the archives (at marc.theaimsgroup.com), and looks like someone brought up this same issue quite recently (and I think I was combining/confusing the two threads). There was only one followup to the initial response there (the subject was "Possible bug with isSecure()/getScheme() methods in tomcat 4."), which said: IIRC there is a bug in the coyote connector in TC 4.1.10. You have to use the org.apache.ajp.tomcat4.Ajp13Connector connector and set an attribute tomcatAuthentication="false" to achieve the result you desire. In fact, I am using the Ajp13Connector, and I do have tomcatAuthentication set to false (that's to allow the authentication to be done by Apache, but maybe there's some interaction there). So there are a couple of things to try to see if it has any effect. > > -----Original Message----- > > From: Randy Secrist [mailto:tomcat@;secristfamily.com] > > Sent: Wednesday, October 30, 2002 5:24 PM > > To: Tomcat Users List > > Subject: Re: Tomcat SSL w/ Apache > > > > > > I played around with the config for a few hours today - didn't get any > > results. Having read that about name based hosting before, I > > switched to IP > > based vhosting... - after poping in a few network cards... > > > > What happens now is the same as before... > > > > 1) > > I switch to HTTPS - and I get the standard warning about > > self signed > > certificates... > > 2) > > I accept it... > > 3) > > Tomcat get's and compiles the request...showing isSecure > > is false...when > > it should be true > > 4) > > And apache feeds me the page via https, and the browser, > > and the browser > > reports secure transmission. > > 5) > > I check Apache's logs... (No errors in SSL via apache side..) > > Tomcat's logs were garbled until I cleaned up my virtual > > host files - > > but now they appear to be fine... - no errors. > > > > Somewhere in there, Tomcat is getting the request - because > > it compiles the > > JSP directives, and returns false when calling <%=request.isSecure()%> > > However as noted above - this happens when using https! If I > > do the same > > thing on my linux box - it works just fine - (albeit I didn't > > compile apache > > myself on that thing... - but that shouldn't matter - because SSL does > > work - just NOT with Tomcat...) > > > > Here is the relevant part of my httpd.conf... > > - note - NameVirtualHost * is commented out prior to this... - does > > _default_:443 - mean it is still trying to use a default > > named Vhost, or a > > default IP? > > > > <IfModule mod_ssl.c> > > <VirtualHost _default_:443> > > DocumentRoot c:/web/Tomcat-4-1/webapps/ROOT > > ErrorLog logs/ssl-error_log > > TransferLog logs/ssl-access_log > > SSLEngine on > > SSLCipherSuite > > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > > SSLCertificateFile conf/ssl/myDomain.cert > > SSLCertificateKeyFile conf/ssl/myDomain.key > > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown > > CustomLog logs/ssl_request_log \ > > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > RewriteEngine On > > RewriteOptions inherit > > </VirtualHost> > > </IfModule> > > > > > > ----- Original Message ----- > > From: "Robert L Sowders" <[EMAIL PROTECTED]> > > To: "Tomcat Users List" <[EMAIL PROTECTED]> > > Sent: Wednesday, October 30, 2002 12:51 AM > > Subject: Re: Tomcat SSL w/ Apache > > > > > > > The configuration you describe for virtual hosts is correct > > except that > > > for SSL to work correctly in Apache you have to use IP based virtual > > > hosting. Name based virtual hosting will give you errors. See > > > http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 > > > > > > rls > > > > > > > > > > > > > > > > > > "Randy Secrist" <[EMAIL PROTECTED]> > > > 10/29/2002 07:58 PM > > > Please respond to "Tomcat Users List" > > > > > > > > > To: "Tomcat Users List" <[EMAIL PROTECTED]> > > > cc: > > > Subject: Tomcat SSL w/ Apache > > > > > > > > > I have an interesting problem that I don't know much about. I am > > > integrating Apache with Tomcat using mod_jk - and I have it mostly > > > working. The only real problem I have left - is getting SSL - which > > > appears to be working with Apache - to work with Tomcat. > > > > > > I have both HTTP connector's disabled in Tomcat. The only > > connector I > > > have up is Coyote's AJP on 8009. (Via tomcat 4.1.12). > > > > > > When I switch to https and accept my self generated certificate, the > > > browser returns the compiled jsp page, without any non > > secure warnings... > > > - but if I call <%=request.isSecure()%> - it returns FALSE > > - even though I > > > am using HTTPS. I'm not sure why this could be happening. > > > > > > In Apache - I have 2 virtual hosts mapped to the same > > domain name - on > > > different ports - because I couldn't get it to work right > > with just one. > > > > > > mydomain.com:80 > > > and > > > mydomain.com:443 (with all my SSL directives...) > > > > > > Could anyone offer advise? > > > > > > Randy > > > > > > > > > > > > -- > > > To unsubscribe, e-mail: > > <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> > > > For additional commands, e-mail: > > <mailto:tomcat-user-help@;jakarta.apache.org> > > > > > > > > > -- > > To unsubscribe, e-mail: > <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> > For additional commands, e-mail: > <mailto:tomcat-user-help@;jakarta.apache.org> > > -- > To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> > For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org> > Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
