Only the communication between browser and apache server is ssl encrypted. Both the communications between apache and tomcat and tomcat and database are not. At least not without further action.
So make sure that your server does not open the ajp13 connector (mod_jk or whatever) port and db server port to the outside world. Secure your servers, intranet, ports, use firewalls or secure the communications, etc. Securing the system from outside can be done mostly by closing unnecessary ports. If you cannot trust your internal network however it might be more effort because you might consider to encrypt the communications yourself. Michael > -----Original Message----- > From: Lars Nielsen Lind [mailto:[EMAIL PROTECTED] > Sent: Mittwoch, 5. März 2003 10:45 > To: Tomcat Users List > Subject: Security Question > > > I have a server with Apache 2.0.44 and Jakarta-Tomcat 4.1.18. > I am using OpenSSL 0.9.7a with Apache. > > Question: > > If the user activates a jsp page with a javabean component > with access to a PostgreSQL database server (communicates > with port 5432) from the secure area (https) - is it then > possible to 'sniff' the communication between the component > and the database server or is this communication encrypted by > apache with ssl? > > If it is possible to 'sniff' the communication - how do I > best prevent this? > > Best regards, > > Lars Nielsen Lind > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
