You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Nick Betteridge <n....@syntactics.com> on 2000/09/08 18:55:15 UTC

Re: jakarta - virtual hosts and https

> 
> Nick Betteridge wrote:
> 
> > Craig,
> >
> > I'm busy going through catalinas code with a view to implementing https
> > / virtual hosts, and then it suddenly struck me that I had better find
> > out if somebody is already doing this!
> >
> > My end goal would simply be to have certificate names in the server or
> > virtualhost in the server.xml, which would be got from either keystore
> > or jndi/ldap.
> >
> > If nobody is doing this then I'll do it locally here and forward the
> > results for review.
> >
> > Regards
> > Nick Betteridge
> 
> It's interesting that you should mention this ... it is part of what I
> started working on last night!  I would very definitely like to
> collaborate
> on getting this right.  (I need to have SSL authentication and
> certificates
> support available in Tomcat 4.0 because the J2EE RI is going to need
> it).
> 
> Are you planning to have a separate keystore per virtual host?  The
> current
> model of a connector does not support that very well, because the
> existence
> of the keystore is currently hidden down inside the socket factory (in
> other words, it's a per-connectot thing).
> 
> The current way to have per-virtual-host keystores would be to create a
> connector per virtual host, but this is only practical on a
> multi-IP-address server, and doesn't scale to named virtual hosts.
> 
> How about if we discuss the goals to be solved, and possible design
> solutions, on TOMCAT-DEV and then collaborate on getting Tomcat 4.0
> right?
> 

Fine by me to discuss it on TOMCAT-DEV.

Yes, my initial thoughts were to have a keystore per virtual host but I
didn't realise that it requires a multi-IP-address.

Posting this to tomcat-dev@jakarta.apache.org to kick it off

Nick

Re: jakarta - virtual hosts and https

Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.

Having a keystore per virtual host seems like a reasonable design goal.  It
raises several questions in my mind that we should answer to figure out what to
build:

* I'm currently working with JSSE 1.0.2 as the basis of SSL
  support for Tomcat 4.0, unless there are better suggestions.

* In JSSE terms, are we talking about the keystore of the server's
  own certificates, the truststore of trusted client certificates, or both?

* In order to use client certificates for authentication (from the servlet
  container's perspective), it might make sense to have an
  extended version of the Realm interface that does the "authenticate
  the principal" trick by checking for an appropriate certificate, and
  then exposes that certificate as a request attribute.  However, I do
  not see where the identification of roles assigned to each user is
  covered just with certificates, so maybe it should be separated.

* The current object hierarchy makes doing this a little bit awkward.
  (Please excuse the ASCII art):

        Connector ----- Engine
          /                \
         /                  \
    SSLSocketFactory        Host
       /                      \
      /                        \
  SSLServerSocket            New KeyStore?

  because there is no good communication between the SSLServerSocket
  (and the Host, where you presumably have associated the key store info).
  We need to think about alternative communication paths here.

Craig McClanahan

Nick Betteridge wrote:

> >
> > Nick Betteridge wrote:
> >
> > > Craig,
> > >
> > > I'm busy going through catalinas code with a view to implementing https
> > > / virtual hosts, and then it suddenly struck me that I had better find
> > > out if somebody is already doing this!
> > >
> > > My end goal would simply be to have certificate names in the server or
> > > virtualhost in the server.xml, which would be got from either keystore
> > > or jndi/ldap.
> > >
> > > If nobody is doing this then I'll do it locally here and forward the
> > > results for review.
> > >
> > > Regards
> > > Nick Betteridge
> >
> > It's interesting that you should mention this ... it is part of what I
> > started working on last night!  I would very definitely like to
> > collaborate
> > on getting this right.  (I need to have SSL authentication and
> > certificates
> > support available in Tomcat 4.0 because the J2EE RI is going to need
> > it).
> >
> > Are you planning to have a separate keystore per virtual host?  The
> > current
> > model of a connector does not support that very well, because the
> > existence
> > of the keystore is currently hidden down inside the socket factory (in
> > other words, it's a per-connectot thing).
> >
> > The current way to have per-virtual-host keystores would be to create a
> > connector per virtual host, but this is only practical on a
> > multi-IP-address server, and doesn't scale to named virtual hosts.
> >
> > How about if we discuss the goals to be solved, and possible design
> > solutions, on TOMCAT-DEV and then collaborate on getting Tomcat 4.0
> > right?
> >
>
> Fine by me to discuss it on TOMCAT-DEV.
>
> Yes, my initial thoughts were to have a keystore per virtual host but I
> didn't realise that it requires a multi-IP-address.
>
> Posting this to tomcat-dev@jakarta.apache.org to kick it off
>
> Nick
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

--
====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat

response.sendRedirect Problem in IE

Posted by shahed <sh...@enoor.com>.

I have a response.sendRedirect() at the bottom of by
jsp page that redirects the user to some page
if the current page is done processing without any errors.

In Netscape, it works fine. In IE, I get a portion of 
the current page and then the HTTP header text followed by
the HTML content of the redirected page.

Any clues as to what is going on ?

Thanks
Shahed

Re: jakarta - virtual hosts and https

Posted by Nick Bauman <ni...@cortexity.com>.

Just a comment. I'm not sure that a 1-to-1 exists between keystore and
cert but...

On Fri, 8 Sep 2000, Nick Betteridge wrote:

> > The current way to have per-virtual-host keystores would be to create
> > connector per virtual host, but this is only practical on a
> > multi-IP-address server, and doesn't scale to named virtual hosts.
> > 

I thought you cannot have multiple certificates per IP. I thought a
certificate had to map to a unique name AND a unique IP.