You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Pierre Goupil <go...@gmail.com> on 2007/07/31 14:57:16 UTC
secured authentication / connection
Hello all,
On my webapp, I'm currently using a Tomcat-based form authentication. But I
would like to switch to an encrypted authentication. And the long-term goal
would be to have my users browse my webapp entirely with an https
connection.
Can anyone point me to a relevant tutorial ? I have found lot of
information, indeed, but they are all either Apache-based (and I would like
to rely entirely on Tomcat, regarding security features), either
Tomcat-based but with form authentication only.
Thanks in advance,
Pierre
Re: secured authentication / connection
Posted by Mark Thomas <ma...@apache.org>.
Pierre Goupil wrote:
> Hello all,
>
> On my webapp, I'm currently using a Tomcat-based form authentication. But I
> would like to switch to an encrypted authentication. And the long-term goal
> would be to have my users browse my webapp entirely with an https
> connection.
>
> Can anyone point me to a relevant tutorial ? I have found lot of
> information, indeed, but they are all either Apache-based (and I would like
> to rely entirely on Tomcat, regarding security features), either
> Tomcat-based but with form authentication only.
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: secured authentication / connection
Posted by Pierre Goupil <go...@gmail.com>.
OK...
Thanks again to all of you for your time & attention !
Pierre
2007/8/1, Hassan Schroeder <ha...@gmail.com>:
>
> On 8/1/07, Pierre Goupil <go...@gmail.com> wrote:
>
> > The real question is a bit more weird. If I try & connect to my server
> on
> > port 8443, but with just http protocol (no encryption) <snip/>
>
> Then you're doing something utterly meaningless, and the "file" you
> see is just the encrypted response from Tomcat.
>
> The simple answer is "don't do that" :-)
>
> HTH,
> --
> Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
"Si le sang ne coule pas assez chaud dans tes veines,
je le répandrais sur le sable pour qu'il bouille au soleil."
(Maraxus de Kelde)
Re: secured authentication / connection
Posted by Hassan Schroeder <ha...@gmail.com>.
On 8/1/07, Pierre Goupil <go...@gmail.com> wrote:
> The real question is a bit more weird. If I try & connect to my server on
> port 8443, but with just http protocol (no encryption) <snip/>
Then you're doing something utterly meaningless, and the "file" you
see is just the encrypted response from Tomcat.
The simple answer is "don't do that" :-)
HTH,
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: secured authentication / connection
Posted by Pierre Goupil <go...@gmail.com>.
Hello,
OK, I've done it : the SSL authentication of my tomcat server works pretty
fine. I'm currently using port 8443, though. But this is not my question.
The real question is a bit more weird. If I try & connect to my server on
port 8443, but with just http protocol (no encryption), Tomcat responds by
sending a file ! It is a .bin file which name is :
- either the context name of my request (for instance, if I ask
http://myserver.com/qwerty the file is called qwerty.bin)
- either a random (?) name if I ask the context name of my webapp.
Do you have an idea why & how to get rid of this, anyone ?
Cheers,
Pierre
2007/7/31, Pierre Goupil <go...@gmail.com>:
>
> Ooops... Yes, definitely... But I still need the port 80 for my purely
> static (unencrypted) content. The connections to my webapp will be encrypted
> from end-to-end using its context name, but all the content accessible
> within the default context will be static.
>
>
> Pierre
>
>
>
> 2007/7/31, David Smith <dn...@cornell.edu>:
> >
> > Port 80 is for unencrypted traffic. The default port for SSL (https
> > protocol) is 443.
> >
> > --David
> >
> > Pierre Goupil wrote:
> >
> > >I have some static HTML content. But I will handle it with Tomcat too,
> > in
> > >order to ease things regarding my present need.
> > >
> > >So I will stick to Tomcat for SSL management and won't use Apache
> > *Httpd*
> > >;-) any more... Easy. As easy as my need in fact. Actually, my only
> > >"sensitive" need is to have SSL connections from end-to-end, as this is
> > an
> > >application for a persons & goods security firm. I don't want to take
> > any
> > >risk with this kind of data.
> > >
> > >I'm going to investigate the use of port 80 with tomcat, now !
> > >
> > >Thanx again !
> > >
> > >Pierre
> > >
> > >
> > >
> > >2007/7/31, Caldarale, Charles R < Chuck.Caldarale@unisys.com>:
> > >
> > >
> > >>>From: Pierre Goupil [mailto:goupilpierre@gmail.com]
> > >>>Subject: Re: secured authentication / connection
> > >>>
> > >>>But I still need Apache in front of it, in order
> > >>>to be able to use the port 80 & this sort of things.
> > >>>
> > >>>
> > >>Tomcat can quite happily use port 80; what else do you need httpd for?
> >
> > >>
> > >>(We'll assume you mean httpd when you refer to Apache, since both
> > Tomcat
> > >>and httpd are Apache products.)
> > >>
> > >>- Chuck
> > >>
> > >>
> > >>THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
> > PROPRIETARY
> > >>MATERIAL and is thus for use only by the intended recipient. If you
> > >>received this in error, please contact the sender and delete the
> > e-mail
> > >>and its attachments from all computers.
> > >>
> > >>---------------------------------------------------------------------
> > >>To start a new topic, e-mail: users@tomcat.apache.org
> > >>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > >>For additional commands, e-mail: users-help@tomcat.apache.org
> > >>
> > >>
> > >>
> > >>
> > >
> > >
> > >
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
>
> --
> "Si le sang ne coule pas assez chaud dans tes veines,
> je le répandrais sur le sable pour qu'il bouille au soleil."
>
> (Maraxus de Kelde)
>
--
"Si le sang ne coule pas assez chaud dans tes veines,
je le répandrais sur le sable pour qu'il bouille au soleil."
(Maraxus de Kelde)
Re: secured authentication / connection
Posted by Pierre Goupil <go...@gmail.com>.
Ooops... Yes, definitely... But I still need the port 80 for my purely
static (unencrypted) content. The connections to my webapp will be encrypted
from end-to-end using its context name, but all the content accessible
within the default context will be static.
Pierre
2007/7/31, David Smith <dn...@cornell.edu>:
>
> Port 80 is for unencrypted traffic. The default port for SSL (https
> protocol) is 443.
>
> --David
>
> Pierre Goupil wrote:
>
> >I have some static HTML content. But I will handle it with Tomcat too, in
> >order to ease things regarding my present need.
> >
> >So I will stick to Tomcat for SSL management and won't use Apache *Httpd*
> >;-) any more... Easy. As easy as my need in fact. Actually, my only
> >"sensitive" need is to have SSL connections from end-to-end, as this is
> an
> >application for a persons & goods security firm. I don't want to take any
> >risk with this kind of data.
> >
> >I'm going to investigate the use of port 80 with tomcat, now !
> >
> >Thanx again !
> >
> >Pierre
> >
> >
> >
> >2007/7/31, Caldarale, Charles R <Ch...@unisys.com>:
> >
> >
> >>>From: Pierre Goupil [mailto:goupilpierre@gmail.com]
> >>>Subject: Re: secured authentication / connection
> >>>
> >>>But I still need Apache in front of it, in order
> >>>to be able to use the port 80 & this sort of things.
> >>>
> >>>
> >>Tomcat can quite happily use port 80; what else do you need httpd for?
> >>
> >>(We'll assume you mean httpd when you refer to Apache, since both Tomcat
> >>and httpd are Apache products.)
> >>
> >>- Chuck
> >>
> >>
> >>THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> >>MATERIAL and is thus for use only by the intended recipient. If you
> >>received this in error, please contact the sender and delete the e-mail
> >>and its attachments from all computers.
> >>
> >>---------------------------------------------------------------------
> >>To start a new topic, e-mail: users@tomcat.apache.org
> >>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >>
> >>
> >
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
"Si le sang ne coule pas assez chaud dans tes veines,
je le répandrais sur le sable pour qu'il bouille au soleil."
(Maraxus de Kelde)
Re: secured authentication / connection
Posted by David Smith <dn...@cornell.edu>.
Port 80 is for unencrypted traffic. The default port for SSL (https
protocol) is 443.
--David
Pierre Goupil wrote:
>I have some static HTML content. But I will handle it with Tomcat too, in
>order to ease things regarding my present need.
>
>So I will stick to Tomcat for SSL management and won't use Apache *Httpd*
>;-) any more... Easy. As easy as my need in fact. Actually, my only
>"sensitive" need is to have SSL connections from end-to-end, as this is an
>application for a persons & goods security firm. I don't want to take any
>risk with this kind of data.
>
>I'm going to investigate the use of port 80 with tomcat, now !
>
>Thanx again !
>
>Pierre
>
>
>
>2007/7/31, Caldarale, Charles R <Ch...@unisys.com>:
>
>
>>>From: Pierre Goupil [mailto:goupilpierre@gmail.com]
>>>Subject: Re: secured authentication / connection
>>>
>>>But I still need Apache in front of it, in order
>>>to be able to use the port 80 & this sort of things.
>>>
>>>
>>Tomcat can quite happily use port 80; what else do you need httpd for?
>>
>>(We'll assume you mean httpd when you refer to Apache, since both Tomcat
>>and httpd are Apache products.)
>>
>>- Chuck
>>
>>
>>THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>>MATERIAL and is thus for use only by the intended recipient. If you
>>received this in error, please contact the sender and delete the e-mail
>>and its attachments from all computers.
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org
>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>
>
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: secured authentication / connection
Posted by Pierre Goupil <go...@gmail.com>.
I have some static HTML content. But I will handle it with Tomcat too, in
order to ease things regarding my present need.
So I will stick to Tomcat for SSL management and won't use Apache *Httpd*
;-) any more... Easy. As easy as my need in fact. Actually, my only
"sensitive" need is to have SSL connections from end-to-end, as this is an
application for a persons & goods security firm. I don't want to take any
risk with this kind of data.
I'm going to investigate the use of port 80 with tomcat, now !
Thanx again !
Pierre
2007/7/31, Caldarale, Charles R <Ch...@unisys.com>:
>
> > From: Pierre Goupil [mailto:goupilpierre@gmail.com]
> > Subject: Re: secured authentication / connection
> >
> > But I still need Apache in front of it, in order
> > to be able to use the port 80 & this sort of things.
>
> Tomcat can quite happily use port 80; what else do you need httpd for?
>
> (We'll assume you mean httpd when you refer to Apache, since both Tomcat
> and httpd are Apache products.)
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
"Si le sang ne coule pas assez chaud dans tes veines,
je le répandrais sur le sable pour qu'il bouille au soleil."
(Maraxus de Kelde)
RE: secured authentication / connection
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Pierre Goupil [mailto:goupilpierre@gmail.com]
> Subject: Re: secured authentication / connection
>
> But I still need Apache in front of it, in order
> to be able to use the port 80 & this sort of things.
Tomcat can quite happily use port 80; what else do you need httpd for?
(We'll assume you mean httpd when you refer to Apache, since both Tomcat
and httpd are Apache products.)
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: secured authentication / connection
Posted by David Smith <dn...@cornell.edu>.
SSL as a protocol is not designed to allow for this sort of
man-in-the-middle configuration. Either tomcat handles the ssl and
listens on port 443 or Apache httpd handles the ssl and listens on 443.
--David
Pierre Goupil wrote:
>Quote from the Tomcat doc :
>
>***
>It is important to note that configuring Tomcat to take advantage of secure
>sockets is usually only necessary when running it as a stand-alone web
>server. When running Tomcat primarily as a Servlet/JSP container behind
>another web server, such as Apache or Microsoft IIS, it is usually necessary
>to configure the primary web server to handle the SSL connections from
>users. Typically, this server will negotiate all SSL-related functionality,
>then pass on any requests destined for the Tomcat container only after
>decrypting those requests.
>***
>
>I'm using Tomcat 5.5, Apache 2.0.55 & mod_jk 1.2.18. I'd really like to
>manage my SSL from within Tomcat, mainly because I feel more comfortable
>with it than with Apache. But I still need Apache in front of it, in order
>to be able to use the port 80 & this sort of things.
>
>Does this mean that I can, but that I will then have to configure my Apache
>/ jk a bit more than with straight-forward http connections ? How to do this
>?
>
>Cheers,
>
>Pierre
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: secured authentication / connection
Posted by Pierre Goupil <go...@gmail.com>.
Quote from the Tomcat doc :
***
It is important to note that configuring Tomcat to take advantage of secure
sockets is usually only necessary when running it as a stand-alone web
server. When running Tomcat primarily as a Servlet/JSP container behind
another web server, such as Apache or Microsoft IIS, it is usually necessary
to configure the primary web server to handle the SSL connections from
users. Typically, this server will negotiate all SSL-related functionality,
then pass on any requests destined for the Tomcat container only after
decrypting those requests.
***
I'm using Tomcat 5.5, Apache 2.0.55 & mod_jk 1.2.18. I'd really like to
manage my SSL from within Tomcat, mainly because I feel more comfortable
with it than with Apache. But I still need Apache in front of it, in order
to be able to use the port 80 & this sort of things.
Does this mean that I can, but that I will then have to configure my Apache
/ jk a bit more than with straight-forward http connections ? How to do this
?
Cheers,
Pierre
Re: secured authentication / connection
Posted by Pierre Goupil <go...@gmail.com>.
Erf... It wasn't especially out of my reach. But (as many, I presume), when
I'm looking for info, I tend to google around, where there is info fresh
from the source...
Thanks to both of you and I will try to use more the official documentation,
in the future.
Cheers,
Pierre
2007/7/31, Caldarale, Charles R <Ch...@unisys.com>:
>
> > From: Pierre Goupil [mailto:goupilpierre@gmail.com]
> > Subject: secured authentication / connection
> >
> > Can anyone point me to a relevant tutorial ?
>
> Besides configuring SSL as Mark T pointed out, you need to read section
> 12 of the servlet spec:
> http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index.html
>
> Section 12.5.3 is specifically for form-based authentication.
>
> To force SSL for everything, use a <transport-guarantee> of CONFIDENTIAL
> in conjunction with a <url-pattern> of /* in your app's WEB-INF/web.xml
> file. For example:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protect Everything</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>RequiredRoleHere</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
"Si le sang ne coule pas assez chaud dans tes veines,
je le répandrais sur le sable pour qu'il bouille au soleil."
(Maraxus de Kelde)
RE: secured authentication / connection
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Pierre Goupil [mailto:goupilpierre@gmail.com]
> Subject: secured authentication / connection
>
> Can anyone point me to a relevant tutorial ?
Besides configuring SSL as Mark T pointed out, you need to read section
12 of the servlet spec:
http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index.html
Section 12.5.3 is specifically for form-based authentication.
To force SSL for everything, use a <transport-guarantee> of CONFIDENTIAL
in conjunction with a <url-pattern> of /* in your app's WEB-INF/web.xml
file. For example:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protect Everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>RequiredRoleHere</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org