SSL detection

[Sam Newman <sa...@btinternet.com>]

I have Apache and Tomcat running together under SSL. I now want to create a
page which only run under SSL. I want http and https to share the same
documents however. My first idea is to simply have a tag handler, which
detects the protocol, and if not SSL is simply redirects to a page explaning
why they cannot view the requested document.
By problem is that I'm not sure on the correct way to retrieve what type of
protocol is being used. There is a getAuthType method in HttpServletRequest,
but the return type is simply a string (e.g. "BASIC" or "SSL"). My concern
is that this return could vary from browser to browser. Can I assume that if
using SSL the return will always be the string "SSL"? Also, how can I detect
which level of encryption is being used? Ideally, I'd like to restrict users
to connecting using 128bit only, or at least issue a warning when its at
40bit.

Thanks in advance,

Sam

Re: SSL detection

[Sam Newman <sa...@btinternet.com>]

I'm not sure if this is different on winNT, as I did it on Linux, and so
these instructions are really for that. All the packages mentioned here i
think also come with win32 instructions. First, get Apache using mod_ssl.
Easiest way to do this is to download openssl 0.9.6a (www.openssl.org), the
latest apache source (www.apache.org) and the mod_ssl source (search
google - can't remember the url - maybe www.modssl.org  ) The mod_ssl
install file then explains how to build all 3 packages and get them running.
Then get Apache serving .jsp and servlets via tomcat using the ajpv13
protocol (look at the Apache-Tomcat howto in the docs). The older ajpv12
protocol has some issues with SSL. The servlets and jsps should work equally
well under https or http, with the exception (perhaps) of URL rewritting
when the client has cookies disabled (search the archive for recent posts
for more info).

As I said, this worked for me on Linux, more specifically under SuSE 7.0.

sam
----- Original Message -----
From: "subbu" <su...@ibc.co.in>
To: <to...@jakarta.apache.org>
Sent: Tuesday, April 24, 2001 3:27 AM
Subject: Re: SSL detection


> Hello SAM could U please tell me How to configure apache to support SSL
> (winnt)
> with love
> subbu.
> ----- Original Message -----
> From: "Sam Newman" <sa...@btinternet.com>
> To: <to...@jakarta.apache.org>
> Sent: Monday, April 23, 2001 3:59 AM
> Subject: SSL detection
>
>
> > I have Apache and Tomcat running together under SSL. I now want to
create
> a
> > page which only run under SSL. I want http and https to share the same
> > documents however. My first idea is to simply have a tag handler, which
> > detects the protocol, and if not SSL is simply redirects to a page
> explaning
> > why they cannot view the requested document.
> > By problem is that I'm not sure on the correct way to retrieve what type
> of
> > protocol is being used. There is a getAuthType method in
> HttpServletRequest,
> > but the return type is simply a string (e.g. "BASIC" or "SSL"). My
concern
> > is that this return could vary from browser to browser. Can I assume
that
> if
> > using SSL the return will always be the string "SSL"? Also, how can I
> detect
> > which level of encryption is being used? Ideally, I'd like to restrict
> users
> > to connecting using 128bit only, or at least issue a warning when its at
> > 40bit.
> >
> > Thanks in advance,
> >
> > Sam
>
>

Books on Tomcat

[Will England <wi...@mylanders.com>]

Hi!

Does anyone know of any dead-tree books that document the Tomcat platform>

I've checked O'Reilly and Amazon, with no luck.  I've found a few simple
basic articles, but that is it.

Thanks in advance!

Will


-- 
  "If Al Gore invented the Internet, then I invented spellcheck!"
      Dan Quayle, quoted at the National Press Club, 8/3/1999 
                          will@mylanders.com 
  Recovery  : http://will.mylanders.com/         PCS:  316-371-FOAD 

Re: SSL detection

[subbu <su...@ibc.co.in>]

Hello SAM could U please tell me How to configure apache to support SSL
(winnt)
with love
subbu.
----- Original Message -----
From: "Sam Newman" <sa...@btinternet.com>
To: <to...@jakarta.apache.org>
Sent: Monday, April 23, 2001 3:59 AM
Subject: SSL detection


> I have Apache and Tomcat running together under SSL. I now want to create
a
> page which only run under SSL. I want http and https to share the same
> documents however. My first idea is to simply have a tag handler, which
> detects the protocol, and if not SSL is simply redirects to a page
explaning
> why they cannot view the requested document.
> By problem is that I'm not sure on the correct way to retrieve what type
of
> protocol is being used. There is a getAuthType method in
HttpServletRequest,
> but the return type is simply a string (e.g. "BASIC" or "SSL"). My concern
> is that this return could vary from browser to browser. Can I assume that
if
> using SSL the return will always be the string "SSL"? Also, how can I
detect
> which level of encryption is being used? Ideally, I'd like to restrict
users
> to connecting using 128bit only, or at least issue a warning when its at
> 40bit.
>
> Thanks in advance,
>
> Sam

Re: SSL detection

[Sam Newman <sa...@btinternet.com>]

Many thanks for that. I was looking under get methods in the index so I
missed the isSecure one, d'oh!
Now all I have to do is to try and get the encryption strength.....I think I
could do that with some client side java script though.

sam
----- Original Message -----
From: "Wolle" <wo...@dorf.RWTH-Aachen.DE>
To: <to...@jakarta.apache.org>
Sent: Monday, April 23, 2001 12:34 PM
Subject: Re: SSL detection


> Hello,
> you can check it with the methode "request.isSecure",.
> that will give you true or false, make shure you use the ajp13 protocol
with
> mod_jk.
> I don't know how to get the detailed information about the protocol and
the key.
>
> Greetings,
> Wolle
>

Re: SSL detection

[Wolle <wo...@dorf.RWTH-Aachen.DE>]

Hello,
you can check it with the methode "request.isSecure",.
that will give you true or false, make shure you use the ajp13 protocol with
mod_jk.
I don't know how to get the detailed information about the protocol and the key.

Greetings,
Wolle

Sam Newman wrote:

> I have Apache and Tomcat running together under SSL. I now want to create a
> page which only run under SSL. I want http and https to share the same
> documents however. My first idea is to simply have a tag handler, which
> detects the protocol, and if not SSL is simply redirects to a page explaning
> why they cannot view the requested document.
> By problem is that I'm not sure on the correct way to retrieve what type of
> protocol is being used. There is a getAuthType method in HttpServletRequest,
> but the return type is simply a string (e.g. "BASIC" or "SSL"). My concern
> is that this return could vary from browser to browser. Can I assume that if
> using SSL the return will always be the string "SSL"? Also, how can I detect
> which level of encryption is being used? Ideally, I'd like to restrict users
> to connecting using 128bit only, or at least issue a warning when its at
> 40bit.
>
> Thanks in advance,
>
> Sam

--

Re: SSL detection

[Sam Newman <sa...@btinternet.com>]

I should of thought of that myself. The page will now actually behave
differently depending on whether the page is accessed securely now - aint
goal post moving a wonderful thing? I just hope I can finish the work before
they decide they want it done in ASP instead.....

sam
----- Original Message -----
From: "Jan Labanowski" <jk...@osc.edu>
To: <to...@jakarta.apache.org>
Cc: "Jan Labanowski" <jk...@osc.edu>
Sent: Monday, April 23, 2001 2:31 PM
Subject: Re: SSL detection


> The simpler way would be to put into httpd.conf the block
>
>
> <Directory "/my/directory">
> <Limit>
>    Order deny,allow
>    Deny from all
> </Limit>
> </Directory>
>
> In the HTTP section (before the SSL section in the httpd.conf)
>
> and the block
> <Directory "/my/directory">
> <Limit>
>    Order deny,allow
>    Allow from all
> </Limit>
> </Directory>
>
> within the HTTPS section (within the SSL section of httpd.conf).
> You may also need to define "Alias", and to it by "Location",
> but try this first.

Re: SSL detection

[Jan Labanowski <jk...@osc.edu>]

The simpler way would be to put into httpd.conf the block


<Directory "/my/directory">
<Limit>
   Order deny,allow
   Deny from all
</Limit>
</Directory>

In the HTTP section (before the SSL section in the httpd.conf)

and the block
<Directory "/my/directory">
<Limit>
   Order deny,allow
   Allow from all
</Limit>
</Directory>

within the HTTPS section (within the SSL section of httpd.conf).
You may also need to define "Alias", and to it by "Location",
but try this first.


On Mon, 23 Apr 2001, Sam Newman wrote:

> I have Apache and Tomcat running together under SSL. I now want to create a
> page which only run under SSL. I want http and https to share the same
> documents however. My first idea is to simply have a tag handler, which
> detects the protocol, and if not SSL is simply redirects to a page explaning
> why they cannot view the requested document.
> By problem is that I'm not sure on the correct way to retrieve what type of
> protocol is being used. There is a getAuthType method in HttpServletRequest,
> but the return type is simply a string (e.g. "BASIC" or "SSL"). My concern
> is that this return could vary from browser to browser. Can I assume that if
> using SSL the return will always be the string "SSL"? Also, how can I detect
> which level of encryption is being used? Ideally, I'd like to restrict users
> to connecting using 128bit only, or at least issue a warning when its at
> 40bit.
> 
> Thanks in advance,
> 
> Sam
> 

Jan K. Labanowski            |    phone: 614-292-9279,  FAX: 614-292-7168
Ohio Supercomputer Center    |    Internet: jkl@osc.edu 
1224 Kinnear Rd,             |    http://www.ccl.net/chemistry.html
Columbus, OH 43212-1163      |    http://www.osc.edu/