Thanks, I'll try to check that out.
Does Apache add those variables to the request header?
----- Original Message -----
From: "Eduardo Jaunez S." <[EMAIL PROTECTED]>
To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
Sent: Tuesday, February 25, 2003 9:53 AM
Subject: RE: How to verify SSL/HTTPS behind Tomcat via AJP13
> Dear Ian,
>
> I have the same problem, but I'm trying to pass the SSL_* vars generated
by
> mod_ssl in Apache into the Tomcat side. I think this aproach could resolve
> your problem (there are a lot of vars generated only when a SSL session is
> open).
>
> Unfortunately I can't do it yet, so the JkEnvVar doesn't work for my
tests,
> and I don't know what is wrong. I send to you some hints (I receive from
> Tomcat Developer's list):
>
> httpd.conf:
> ...
> SSLOptions +StdEnvVars +ExportCertData
> ...
> JkEnvVar SSL_CLIENT_CERT SSL_CLIENT_CERT
> ...
>
>
> MyTest.jsp
> ...
> HttpServletRequest req ; //from the post ...
>
> // Gets the X.509 PEM Certificate
> String SSL_Client = req.getAttribute("SSL_CLIENT_CERT") ;
> ...
>
>
> If you are lucky than me, please let me know !!.
>
> Eduardo.
>
>
> > -----Mensaje original-----
> > De: Ian Hunter [mailto:[EMAIL PROTECTED]
> > Enviado el: Martes, 25 de Febrero de 2003 11:31
> > Para: Tomcat Users List
> > Asunto: Re: How to verify SSL/HTTPS behind Tomcat via AJP13
> >
> >
> > I've "fallen back" to seeing if
> > getRequestURL().toString().startsWith("https") -- that seems
> > pretty kludgy.
> > Any other ideas?
> >
> > ----- Original Message -----
> > From: "Turner, John" <[EMAIL PROTECTED]>
> > To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
> > Sent: Tuesday, February 25, 2003 8:41 AM
> > Subject: RE: How to verify SSL/HTTPS behind Tomcat via AJP13
> >
> >
> > >
> > > The return from getProtocol() is correct, AFAIK. I don't
> > believe there is
> > a
> > > HTTPS/1.1 or similar, but I could be wrong.
> > >
> > > By "check protocol type" in the docs (agreed, it is
> > unclear), I believe it
> > > means to do one (or all) of the following:
> > >
> > > - check the URL for "https"
> > > - check the port number for the request
> > > - use HttpServletRequest.isSecure(), though I think that will return
> > "false"
> > > when you use Tomcat via a connector with Apache....I've
> > never tried it to
> > be
> > > sure.
> > >
> > > John
> > >
> > > > -----Original Message-----
> > > > From: Ian Hunter [mailto:[EMAIL PROTECTED]
> > > > Sent: Monday, February 24, 2003 9:26 PM
> > > > To: Tomcat Users List
> > > > Subject: How to verify SSL/HTTPS behind Tomcat via AJP13
> > > >
> > > >
> > > > From
> > > >
> > http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html -- "Any
> > > > pages which absolutely require a secure connection should
> > > > check the protocol
> > > > type associated with the page request and take the
> > > > appropriate action of
> > > > https is not specified."
> > > >
> > > > Also, "When running Tomcat primarily as a Servlet/JSP
> > container behind
> > > > another web server, such as Apache or Microsoft IIS, it is
> > > > usually necessary
> > > > to configure the primary web server to handle the SSL
> > connections from
> > > > users. Typically, this server will negotiate all SSL-related
> > > > functionality,
> > > > then pass on any requests destined for the Tomcat
> > container only after
> > > > decrypting those requests. Likewise, Tomcat will return
> > > > cleartext responses,
> > > > that will be encrypted before being returned to the user's
> > > > browser. In this
> > > > environment, Tomcat knows that communications between the
> > > > primary web server
> > > > and the client are taking place over a secure connection
> > (because your
> > > > application needs to be able to ask about this), but it does
> > > > not participate
> > > > in the encryption or decryption itself."
> > > >
> > > > However, when I check "request.getProtocol()" I get
> > > > "HTTP/.1.1" even when
> > > > I'm connecting via SSL (url shows https: and browser
> > shows "lock" and
> > > > confirms 128 bit SSL) -- what gives?
> > > >
> > > >
> > > >
> > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > For additional commands, e-mail:
> > [EMAIL PROTECTED]
> > > >
> > >
> > >
> > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
