dmccrthy wrote:
Hi,
Is it possible to configure or hack Tomcat in some way to intercept
outbound HTTP URL requests from a deployed web application and convert them
to HTTPS with Mutual Authentication?
My scenario is:
* 3rd party web application that makes client invocations to a server that
requires HTTPS with Mutual Authentication
* I don’t know what framework the web application uses or how it creates
the HTTP client connections
* I can’t make changes to the 3rd party application
I have investigated the below but they don’t seem to offer a solution
* Adding Custom Resource Factories -
http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-
<http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-howto.html>
howto.html
<http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-howto.html>. This
requires changes to the client application
* HTTP connector - http://tomcat.apache.org/tomcat-7.0-doc/config/http.html..
This is for the Tomcat web server, not for outbound client connections
I have successfully configured the server and can make SoapUI calls to it
using HTTPS and Mutual Authentication. If I had control of the client code
I would use HttpClient and accomplish it that way.
For the Tomcat client application I have searched Google, Stackoverflow,
and the Tomcat wiki and mail archives but all HTTPS/Mutual Authentication
solutions I can find refer to Tomcat as the web server, not to web
applications making outbound connections from a Tomcat instance.
If there is no option to configure Tomcat then the only options I can think
of are below, but if anyone has any other insights it would be much
appreciated.
1) Write a between the Tomcat “client” instance and the HTTPS/MA endpoint
2) Find out the framework/socket factory/url connection factory the
3rdparty web app uses and override it with a Tomcat plugin
3) Raise a feature request with the 3rd party vendor to support HTTPS/MA
I don't know really about the "hacking Tomcat" option (but I believe that is not possible
in this case, because Tomcat is not involved at all in those connections which the webapp
is making "on the side").
This is what you could do outside of Tomcat (but it is some work) :
1) find out to what hostname:port that application is making a call.
Say for now that it is "server.company.com:8000".
2) in the "hosts" file of the Tomcat server, add an entry for that hostname, with IP
address 127.0.0.1, like
127.0.0.1 server.company.com
(alternatively, you could use another valid IP of your Tomcat server)
3) on the Tomcat server, create a separate "proxy" process which listens on that IP and
port 8000 for such HTTP requests, and forwards them via HTTPS to the real external
host/port (while being careful not to create a loop via the hosts file - iow, if possible,
it should not do a DNS lookup for the external hostname "server.company.com", because it
would get 127.0.0.1 as the IP address, and that would be self-defeating)
Of course then, the burden of the HTTPS/MA dialog falls on that process which
you create.
Note that this approach is somewhat simplistic and flaky, and will only work if these
external HTTP requests/responses are really simple, and the responses returned by the
external server don't do things like re-directs elsewhere etc..
It would indeed be a lot better to ask the webapp provider to fix their code.
But also note that to simplify your life you may be able, for this separate "proxy"
process, to use an already-existing piece of software such as an Apache httpd webserver
(listening on localhost:8000) (*), or some utility that creates "tunnels"..
(*) or even a dedicated Tomcat instance, provided you find a webapp able to act as a
HTTPS/MA proxy
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
