You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Nick Bauman <ni...@cortexity.com> on 2000/09/06 17:24:23 UTC
RE: Tomcat 3.2 SSL question
Stefan,
It sounds more like what you are describing is a "strong extranet" type of
authentication with client-side as well as server-side certificates are
utilized (aka SSL v.3)
So the question recast might be: "does Tomcat have support for SSL
v.3"? Surely the SSL libraries used with Tomcat does, which means if
tomcat doesn't have "out-of-box" support for it, you could implement it
via the Interceptor or Valve interfaces / base classes yourself. No?
On Wed, 6 Sep 2000, Stefan Freyr Stefansson wrote:
> Thank you for this reply Costin and I'm sorry for the delay of replying to
> it...
>
> The problem is that we don't use Apache + Tomcat. The reason for this is
> that we do not need a high performance http server and Apache would be much
> too big to integrate into our project. Therefore we are using Tomcat.
>
> So I would like to get some info on HOW two way authentication in Tomcat is
> done... can anybody point me in the right direction?
>
> Thanks again in advance.
> Stefan
>
> -----Original Message-----
> From: Costin Manolache [mailto:cmanolache@yahoo.com]
> Sent: 30. agust 2000 16:30
> To: tomcat-dev@jakarta.apache.org
> Subject: Re: Tomcat 3.2 SSL question
>
>
> > My first question is the obvious one. When is Tomcat 3.2 final supposed
> to
> > come out?
>
> To quote Jon:
> When it's ready.
>
> Few weeks ago I would have hoped for a faster release, but seeing the
> amount of testing and detailing that's going on I would wait a bit more.
> ( documentations, script improvements, all kind of fixes, etc.). My feeling
> is that's very close.
>
> > start bugging you guys about it. But... I would like to know if Tomcat
> 3.2
> > SSL (once I get it up and running) supports two way authentication. I
> need
> > the client to be able to verify that he/she is talking to the server
> he/she
> > believes he/she is talking to... (a lot of he/she's in there... anything
> to
> > be politically correct ;o) But I also need to be able to verify that the
> > client is who he/she says he/she is (this is ridiculous). For that I need
> > two way authentication.
>
> Probably it's he/she/it ( the browser is the client most of the time ).
> I never tested this feature, but I saw few reports that it works.
>
> If you use Tomcat + Apache then you can just use the Apache's
> SSL for mutual authentication ( it should work faster too )
>
> > One other thing is about the licencing. Our plan is to integrate Tomcat
> > into one of our own products. The product is not a commercial product and
> > very unlikely that anybody could benefit from using this thing except for
> my
> > company... I would like to know if it is allright to use Tomcat in such a
> > way? Are there any limitations or fees??? We looked at the licence file
> > that came with the Tomcat download and the way we understood that was that
> > we could basically use it any which way we wanted given that we included
> > some things in our manual and didn't change the headers of the source
> files
> > (you know... the thing whith all the copyright thingys and such).
>
> AFAIK you can do anything you want except claim it's yours :-)
> This is a frequent question - maybe we should add something on the
> web page.
>
> Costin
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
RE: Tomcat 3.2 SSL question
Posted by Stefan Freyr Stefansson <st...@decode.is>.
Ok... now we're getting somewhere... This is something which may be the
thing we need to do.
I am, however, not familiar with what you're talking about when you talk
about the "Interceptor or Valve interfaces / base classes" but I'm guessing
that this may be some class that Tomcat uses for the connections. Any
additional information on this would be very much appreciated. I've gone
through the source files of Tomcat and found no "Interceptor.java" nor
"Valve.java" files... (I also looked at the generated javadoc files). Does
this have anything to do with the socketFactory or Connector/Handler
parameters in the server.xml file in the tomcat "conf" directory? If I
"implement these classes on my own" where would I use them? Will they be
dynamic (like with a conf file where you can select which implementation to
use) or will they replace the previous ones?
If you could either explain to me a little bit more about this or point me
to a place where I could find out more that would be greatly appreciated.
Thanks in advance,
Stefan Freyr
-----Original Message-----
From: Nick Bauman [mailto:nick@cortexity.com]
Sent: 6. september 2000 15:24
To: tomcat-dev@jakarta.apache.org
Subject: RE: Tomcat 3.2 SSL question
Stefan,
It sounds more like what you are describing is a "strong extranet" type of
authentication with client-side as well as server-side certificates are
utilized (aka SSL v.3)
So the question recast might be: "does Tomcat have support for SSL
v.3"? Surely the SSL libraries used with Tomcat does, which means if
tomcat doesn't have "out-of-box" support for it, you could implement it
via the Interceptor or Valve interfaces / base classes yourself. No?
On Wed, 6 Sep 2000, Stefan Freyr Stefansson wrote:
> Thank you for this reply Costin and I'm sorry for the delay of replying to
> it...
>
> The problem is that we don't use Apache + Tomcat. The reason for this is
> that we do not need a high performance http server and Apache would be
much
> too big to integrate into our project. Therefore we are using Tomcat.
>
> So I would like to get some info on HOW two way authentication in Tomcat
is
> done... can anybody point me in the right direction?
>
> Thanks again in advance.
> Stefan
>
> -----Original Message-----
> From: Costin Manolache [mailto:cmanolache@yahoo.com]
> Sent: 30. agust 2000 16:30
> To: tomcat-dev@jakarta.apache.org
> Subject: Re: Tomcat 3.2 SSL question
>
>
> > My first question is the obvious one. When is Tomcat 3.2 final supposed
> to
> > come out?
>
> To quote Jon:
> When it's ready.
>
> Few weeks ago I would have hoped for a faster release, but seeing the
> amount of testing and detailing that's going on I would wait a bit more.
> ( documentations, script improvements, all kind of fixes, etc.). My
feeling
> is that's very close.
>
> > start bugging you guys about it. But... I would like to know if Tomcat
> 3.2
> > SSL (once I get it up and running) supports two way authentication. I
> need
> > the client to be able to verify that he/she is talking to the server
> he/she
> > believes he/she is talking to... (a lot of he/she's in there... anything
> to
> > be politically correct ;o) But I also need to be able to verify that the
> > client is who he/she says he/she is (this is ridiculous). For that I
need
> > two way authentication.
>
> Probably it's he/she/it ( the browser is the client most of the time ).
> I never tested this feature, but I saw few reports that it works.
>
> If you use Tomcat + Apache then you can just use the Apache's
> SSL for mutual authentication ( it should work faster too )
>
> > One other thing is about the licencing. Our plan is to integrate Tomcat
> > into one of our own products. The product is not a commercial product
and
> > very unlikely that anybody could benefit from using this thing except
for
> my
> > company... I would like to know if it is allright to use Tomcat in such
a
> > way? Are there any limitations or fees??? We looked at the licence
file
> > that came with the Tomcat download and the way we understood that was
that
> > we could basically use it any which way we wanted given that we included
> > some things in our manual and didn't change the headers of the source
> files
> > (you know... the thing whith all the copyright thingys and such).
>
> AFAIK you can do anything you want except claim it's yours :-)
> This is a frequent question - maybe we should add something on the
> web page.
>
> Costin
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org