You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Ga...@collegeclub.com on 2000/01/13 09:20:43 UTC
Tomcat and SSL support
IS there any plans on getting SSL support into Tomcat. I was looking
around SUN's site and saw a early-access Secure Socket API package, but
when it goes into full release, is there any plans on adding the support
for it?
I was also looking into the Servlet API that came with JSWDK and the
version that I have is 1.0.1 and the Servlet API that came with tomcat and
the API are different. The one thing I saw was the isSecure method in the
HttpServletRequest class, but in the JSWDK 1.0.1 that is not in there. I
tried to compile the SnoopServlet that came with tomcat under the JSWDK
and it did not compile. Can someone please enlighten me?
The last thing I have to say/ask is, I got Apache 1.3.9, mod_ssl, and
Jserv all running on and NT machine and it is all working, but my question
is that if someone viewing my site over SSL and access a servlet, is the
information that is passed to the servlet secure since it seems that the
nformation is passed through to Tomcat via TCP/IP on port 8007( the Ajp12
connector )?
- Daniel D
--------------------------------------------------------------------------
Check out my web page at "http://home.collegeclub.com/GameCrazy/"
--------------------------------------------------------------------------
Why is College Club the largest and fastest growing college student site?
Find out for yourself at http://www.collegeclub.com
Re: Tomcat and SSL support
Posted by Jose Alberto Fernandez <jo...@us.oracle.com>.
Does tomcatworks with ajpv11. I thought it was ajpv12 only.
Don't you think all AJP protocols should be able to send SSL information across?
Is there a standard on how this env variables are called?
Jean-Luc Rochat wrote:
> Jose Alberto Fernandez wrote:
> >
> > I want to be able to pass the client SSL certificate info gathered by Apache to
> > Tomcat. So that tomcat can do SSL validation of the client.
> you can use ajpv11 instead of ajpv12. All CGI env vars are sent to the
> ajp server, including client's certificate.
> >
> > Does mod_ssl provides the certificate information in some standardize for so
> > that I can pass it to tomcat?
> >
> > Is there a standard for lets say SSL CGI variables that is available on all
> > Apache/SSL implementations? Can I trust that all Apache/SSL implementations will
> > present the certificate information the same way?
> >
> yep. there is a "compatibility" mode in mod_ssl. read the mod_ssl docs.
> > Jose Alberto
>
> Jean-Luc
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org
--
------------------------------------------------------------------------
Jose Alberto Fernandez 500 Oracle Parkway, M/S 9op4
Development Manager Redwood Shores, CA 94065
ORACLE Corp. Phone: (650) 506-8830
Java Products Group Fax: (650) 506-7303
Languages & Obj-Relational Tech Email: jofernan@us.oracle.com
Re: Tomcat and SSL support
Posted by Jean-Luc Rochat <jn...@cybercable.fr>.
Jose Alberto Fernandez wrote:
>
> I want to be able to pass the client SSL certificate info gathered by Apache to
> Tomcat. So that tomcat can do SSL validation of the client.
you can use ajpv11 instead of ajpv12. All CGI env vars are sent to the
ajp server, including client's certificate.
>
> Does mod_ssl provides the certificate information in some standardize for so
> that I can pass it to tomcat?
>
> Is there a standard for lets say SSL CGI variables that is available on all
> Apache/SSL implementations? Can I trust that all Apache/SSL implementations will
> present the certificate information the same way?
>
yep. there is a "compatibility" mode in mod_ssl. read the mod_ssl docs.
> Jose Alberto
Jean-Luc
Re: Tomcat and SSL support
Posted by Jose Alberto Fernandez <jo...@us.oracle.com>.
I want to be able to pass the client SSL certificate info gathered by Apache to
Tomcat. So that tomcat can do SSL validation of the client.
Does mod_ssl provides the certificate information in some standardize for so
that I can pass it to tomcat?
Is there a standard for lets say SSL CGI variables that is available on all
Apache/SSL implementations? Can I trust that all Apache/SSL implementations will
present the certificate information the same way?
Jose Alberto
Jean-Luc Rochat wrote:
> GameCrazy@collegeclub.com wrote:
> >
> > IS there any plans on getting SSL support into Tomcat. I was looking
> > around SUN's site and saw a early-access Secure Socket API package, but
> > when it goes into full release, is there any plans on adding the support
> > for it?
> >
> > I was also looking into the Servlet API that came with JSWDK and the
> > version that I have is 1.0.1 and the Servlet API that came with tomcat and
> > the API are different. The one thing I saw was the isSecure method in the
> > HttpServletRequest class, but in the JSWDK 1.0.1 that is not in there. I
> > tried to compile the SnoopServlet that came with tomcat under the JSWDK
> > and it did not compile. Can someone please enlighten me?
> >
> > The last thing I have to say/ask is, I got Apache 1.3.9, mod_ssl, and
> > Jserv all running on and NT machine and it is all working, but my question
> > is that if someone viewing my site over SSL and access a servlet, is the
> > information that is passed to the servlet secure since it seems that the
> > nformation is passed through to Tomcat via TCP/IP on port 8007( the Ajp12
> > connector )?
> >
> > - Daniel D
>
> I hope this will help. Any ajpv* server is a TCP (defaut port 8007)
> server and ajp protocol is not send ovec SSL. So YOU have to protect
> YOUR network between Apache & ajp server.
> Your browser is never talking ajpv* directly with Tomcat. Your browser
> can directly access Tomcat over http or use Apache+mod_jserv, but SSL
> requires Apache+mod_jserv + one of the SSL modules. Then mod_jserv will
> "proxy" your requests to Tomcat over ajpv*
> So all https requests are sent (& responses read) by the browser over
> SSL.
>
> #1 SSL with Apache & Tomcat
>
> +----------+ +----------------------+ +---------------+
> | browser | | Apache | | Tomcat |
> | | +----------+-----------| +---------------+
> | | | | mod_jserv | | connector |
> +----------+ +----------+-----------+ +--------+------+
> | http | | http | | | | |
> | +-----+ +-----+ | ajpv1x | | ajpv1x | http |
> | | SSL | | SSL | | | | | |
> | | |<--->| 443 | 80 | | | 8007 | 80 |
> +----+-----+ +-----+----+-----------+ +--------+------|
> ^ ^
> https | |
> +--------------+
>
>
> #2 http with Apache & Tomcat
> +----------+ +----------------------+ +---------------+
> | browser | | Apache | | Tomcat |
> | | +----------+-----------| +---------------+
> | | | | mod_jserv | | connector |
> +----------+ +----------+-----------+ +--------+------+
> | http | | http | | | | |
> | +-----+ +-----+ | ajpv1x | | ajpv1x | http |
> | | SSL | | SSL | 80 | | | 8007 | 80 |
> +----+-----+ +-----+----+-----------+ +--------+------|
> ^ ^ ^ ^
> | | | |
> +---------------------+ +--------------+
>
>
> #3 http without Apache
> +----------+ +----------------------+ +---------------+
> | browser | | Apache | | Tomcat |
> | | +----------+-----------| +---------------+
> | | | | mod_jserv | | connector |
> +----------+ +----------+-----------+ +--------+------+
> | http | | http | | | | |
> | +-----+ +-----+ | ajpv1x | | ajpv1x | http |
> | | SSL | | SSL | 80 | | | 8007 | 80 |
> +----+-----+ +-----+----+-----------+ +--------+------|
> ^ ^
> | |
> +----------------------------------------------------+
>
> Jean-Luc
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org
--
------------------------------------------------------------------------
Jose Alberto Fernandez 500 Oracle Parkway, M/S 9op4
Development Manager Redwood Shores, CA 94065
ORACLE Corp. Phone: (650) 506-8830
Java Products Group Fax: (650) 506-7303
Languages & Obj-Relational Tech Email: jofernan@us.oracle.com
Re: Tomcat and SSL support
Posted by Jean-Luc Rochat <jn...@cybercable.fr>.
GameCrazy@collegeclub.com wrote:
>
> IS there any plans on getting SSL support into Tomcat. I was looking
> around SUN's site and saw a early-access Secure Socket API package, but
> when it goes into full release, is there any plans on adding the support
> for it?
>
> I was also looking into the Servlet API that came with JSWDK and the
> version that I have is 1.0.1 and the Servlet API that came with tomcat and
> the API are different. The one thing I saw was the isSecure method in the
> HttpServletRequest class, but in the JSWDK 1.0.1 that is not in there. I
> tried to compile the SnoopServlet that came with tomcat under the JSWDK
> and it did not compile. Can someone please enlighten me?
>
> The last thing I have to say/ask is, I got Apache 1.3.9, mod_ssl, and
> Jserv all running on and NT machine and it is all working, but my question
> is that if someone viewing my site over SSL and access a servlet, is the
> information that is passed to the servlet secure since it seems that the
> nformation is passed through to Tomcat via TCP/IP on port 8007( the Ajp12
> connector )?
>
> - Daniel D
I hope this will help. Any ajpv* server is a TCP (defaut port 8007)
server and ajp protocol is not send ovec SSL. So YOU have to protect
YOUR network between Apache & ajp server.
Your browser is never talking ajpv* directly with Tomcat. Your browser
can directly access Tomcat over http or use Apache+mod_jserv, but SSL
requires Apache+mod_jserv + one of the SSL modules. Then mod_jserv will
"proxy" your requests to Tomcat over ajpv*
So all https requests are sent (& responses read) by the browser over
SSL.
#1 SSL with Apache & Tomcat
+----------+ +----------------------+ +---------------+
| browser | | Apache | | Tomcat |
| | +----------+-----------| +---------------+
| | | | mod_jserv | | connector |
+----------+ +----------+-----------+ +--------+------+
| http | | http | | | | |
| +-----+ +-----+ | ajpv1x | | ajpv1x | http |
| | SSL | | SSL | | | | | |
| | |<--->| 443 | 80 | | | 8007 | 80 |
+----+-----+ +-----+----+-----------+ +--------+------|
^ ^
https | |
+--------------+
#2 http with Apache & Tomcat
+----------+ +----------------------+ +---------------+
| browser | | Apache | | Tomcat |
| | +----------+-----------| +---------------+
| | | | mod_jserv | | connector |
+----------+ +----------+-----------+ +--------+------+
| http | | http | | | | |
| +-----+ +-----+ | ajpv1x | | ajpv1x | http |
| | SSL | | SSL | 80 | | | 8007 | 80 |
+----+-----+ +-----+----+-----------+ +--------+------|
^ ^ ^ ^
| | | |
+---------------------+ +--------------+
#3 http without Apache
+----------+ +----------------------+ +---------------+
| browser | | Apache | | Tomcat |
| | +----------+-----------| +---------------+
| | | | mod_jserv | | connector |
+----------+ +----------+-----------+ +--------+------+
| http | | http | | | | |
| +-----+ +-----+ | ajpv1x | | ajpv1x | http |
| | SSL | | SSL | 80 | | | 8007 | 80 |
+----+-----+ +-----+----+-----------+ +--------+------|
^ ^
| |
+----------------------------------------------------+
Jean-Luc
Re: Tomcat and SSL support
Posted by Fernando Salazar <fe...@metatel.com>.
At 12:20 AM 1/13/00 -0800, you wrote:
>IS there any plans on getting SSL support into Tomcat. I was looking
>around SUN's site and saw a early-access Secure Socket API package, but
>when it goes into full release, is there any plans on adding the support
>for it?
>
>I was also looking into the Servlet API that came with JSWDK and the
>version that I have is 1.0.1 and the Servlet API that came with tomcat and
>the API are different. The one thing I saw was the isSecure method in the
>HttpServletRequest class, but in the JSWDK 1.0.1 that is not in there. I
>tried to compile the SnoopServlet that came with tomcat under the JSWDK
>and it did not compile. Can someone please enlighten me?
>
>The last thing I have to say/ask is, I got Apache 1.3.9, mod_ssl, and
>Jserv all running on and NT machine and it is all working, but my question
>is that if someone viewing my site over SSL and access a servlet, is the
>information that is passed to the servlet secure since it seems that the
>nformation is passed through to Tomcat via TCP/IP on port 8007( the Ajp12
>connector )?
This is an issue for your network configuration. First of all, you need to
secure Apache
such that an attacker can't get access, run programs, etc. If JServ is
running on the Apache
machine, that should be sufficient to secure the info being passed between
Apache and JServ.
If JServ is running on another machine, you need to set up Apache such that
it is outside your firewall/whatever, and that the JServ machine is inside
your firewall.
- Fernando
RE: Tomcat and SSL support
Posted by Klaus Myrseth <kl...@infohwy.no>.
> I was also looking into the Servlet API that came with JSWDK and the
> version that I have is 1.0.1 and the Servlet API that came with tomcat and
> the API are different. The one thing I saw was the isSecure method in the
> HttpServletRequest class, but in the JSWDK 1.0.1 that is not in there. I
> tried to compile the SnoopServlet that came with tomcat under the JSWDK
> and it did not compile. Can someone please enlighten me?
The JSWDK is made for another spesification of the servlet standard. The
TomCat product is a new product following the new spesifications from Sun
Microsystems. (2.2). This is why you get the problems you get. The JSWDK was
a reference implementation of the previous spesifications. TomCat is the
reference implementation for the new spesification :)
I hope this answers why the Servlet from TomCat will not run on JSWDK.
Klaus Myrseth
System Consultant - Java/WAP
Information Highway AS