-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David,
David Wall wrote: > >> No, I don't want SSL enabled. I want Tomcat to NOT do SSL, but I want it >> to report to my application that SSL is being used. >> > So you want quality software to lie to you? It would be a bug if Tomcat > said it was secure when it's not, and it sounds pretty goofy to want it. What about the AJP connector, which does exactly the same thing? An SSL connection to Apache httpd is translated into a non-secure communication to Tomcat, and yet request.isSecure() returns true. >> The deal is that I want to be able to have a localhost-only <Connector> >> that appears to be secure, but isn't actually using SSL so I can avoid >> the SSL performance hit. > > So use HTTP. "Appearing" secure buys you nothing other than fooling > yourself. You are not telling us something because such a spec makes no > sense. Your app can assume anything it wants (boolean isSecure = true; > int one = 2;). I would also like to use <transport-guarantee>CONFIDENTIAL</transport-guarantee> which essentially requires HTTPS to be used. I would like to represent a connection as secure, not as HTTPS. Since I trust localhost, I consider that secure, just as I trust the connections coming from mod_jk as outlined above. This is not a case of true = false or 1 = 2. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjvfvoACgkQ9CaO5/Lv0PCJsACffNLqYH1/ecumoMiGdldz+Plz xh4An3/+JGTlWBRqWHUL34PMX9pSebDe =4Bwd -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
