On 02.12.2016 13:27, Bipin Jethwani wrote:
We use Spring security and want to use Two Way SSL for a few Jersey based
REST APIs exposed for mobile devices. SSL is offloaded at load-balancer or
apache level.
Can we still get access to client certificate at web app level?
On second thought we can live without having access to client cert but can
we have load-balancer or apache configured to request for client cert only
for a specific urls?
On second thought, and after checking the Apache httpd configuration directives, you may
want to look at this :
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslverifyclient
It seems that, contrary to most SSL-oriented directives, this one /can/ be used at the
"directory" level (which means also in a <Location> section).
So you could specify it only for some URLs, at the Apache httpd front-end level.
Is there a standard for this?
-Bipin
Hi.
If indeed "SSL is offloaded at load-balancer or apache level", isn't this more a question
for the respective user's list of these products, rather than for the Tomcat user's list ?
If you do need some SSL information at the Tomcat back-end level, and if between your
Apache httpd front-end, and the Tomcat back-ends, the proxy/balancer module which you are
using is mod_jk, then you will find most pertinent information about passing SSL data from
the front-end to the back-end Tomcat (even if you "terminate" the SSL at the httpd level),
here :
http://tomcat.apache.org/connectors-doc/reference/apache.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
