-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Diarmuid,
On 1/8/15 8:51 AM, dmccrthy wrote: > Is it possible to configure or hack Tomcat in some way to > intercept outbound HTTP URL requests from a deployed web > application and convert them to HTTPS with Mutual Authentication? Why not just do that directly in your web application? The short answer is that Tomcat is only in charge of the incoming requests; what your web application decides to do (e.g. making an outgoing connection) is not its concern. There may be full Java EE servers that provide services like what you describe, but Tomcat does not. > My scenario is: > > * 3rd party web application that makes client invocations to a > server that requires HTTPS with Mutual Authentication * I don’t > know what framework the web application uses or how it creates the > HTTP client connections * I can’t make changes to the 3rd party > application I see. Can you change the URL that the 3rd party application uses to call-out? > I have investigated the below but they don’t seem to offer a > solution > > * Adding Custom Resource Factories - > http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources- > <http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-howto.html> > > howto.html > <http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-howto.html>. > This requires changes to the client application * HTTP connector - > http://tomcat.apache.org/tomcat-7.0-doc/config/http.html. This is > for the Tomcat web server, not for outbound client connections Nah, what you'd want to do is register a URL protocol stream handler, and then use that special URL which would then call your code. Your code can decorate the connection however it wants. What you are really trying to do is a MITM attack against your own software. You can check out this project on SourceForge which has all the source code available to register a protocol handler. You'd have to write the HTTP-to-HTTPS stuff, though. https://sourceforge.net/projects/tuc/ > I have successfully configured the server and can make SoapUI calls > to it using HTTPS and Mutual Authentication. If I had control of > the client code I would use HttpClient and accomplish it that way. > > For the Tomcat client application I have searched Google, > Stackoverflow, and the Tomcat wiki and mail archives but all > HTTPS/Mutual Authentication solutions I can find refer to Tomcat as > the web server, not to web applications making outbound connections > from a Tomcat instance. > > If there is no option to configure Tomcat then the only options I > can think of are below, but if anyone has any other insights it > would be much appreciated. > > 1) Write a between the Tomcat “client” instance and the HTTPS/MA > endpoint 2) Find out the framework/socket factory/url connection > factory the 3rdparty web app uses and override it with a Tomcat > plugin 3) Raise a feature request with the 3rd party vendor to > support HTTPS/MA Ultimately, #4 is the right solution: you should start there and only resort to heroic measures if they either say "no" or tell you that the timeframe is going to be very long. Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUrpdpAAoJEBzwKT+lPKRYWFMP/A7f59Oo5O/zVaxXCnR49OuJ 0mCJN8NY3ocnABjmeCGM0kTSEgNilCfSYXsFcl3sGLLpdnmORavSNe0fZxYJV/Fu ZPZ6VAVwAoVah/snwq9ZXA5T3U0ecyCVYUJXSXPVZgeHUcoebwRYVYTNABpYN2O7 GHPuv8X2iUJPNJN6pBCx2j8oAVZTOCLBKcjTShxf4qJNotl5X/gDU5OVPQ7Lss6m iAujUz322/aA13tXddVDmAxnDdVQcbItTmahpxoICkKouDHheT/GefCk2A1T+aoC z+NgrgNGY9TVpl44RxYvwvvUkd2x1DgQXEeILzKvHqiF6bWPii8/Nn4XkzGog/S6 kFCM18Yxw8cPEVuvXgtjW9TB5xu2SjinzSFgyPDOaleE1RN98NJwUPAJSuoUT13H bOEcXc8RHmBtgQ4H7ZbPPakiQYCLPW7LWvwAcJbY5yCQ1Rp9LEQ5XiRTP7BwSuXi JT9p/T7wLmdsXQ4taKLvCMyOV0Luagu3aJiEtCmzA1xZC5Iyb4zcWsnSUsXDbNo1 NmHMamItyuHKA+7tMDTF/rtCTgAzb/cLgiMr77VUgq2mRCMiT0k9fW5GR5ir3wYZ cK2/2PM7z0vxVETQlu9rzgGEGiaGi1t27nSlK7akKRP9PDlaP8h340Ru+v3VadVD TmwnRQyf1zzk5X92oVV5 =N2uG -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
