Hi André, first: Please forgive me my late answer also to your PM, however, I was really busy here so that I didn't find any time to answer in an appropriate (aka detailed) manner.
So here we go: Customers ---------------- When talking about customers, I'm actually talking about our staff from the business-dept, and I'm talking about external customers. Since we are a Reinsurer, the external customers are primary insurers as mots of you guys will have to deal with sooner or later. If any requirement for a website is suggested, this always comes from our internal customers Type of Websites ------------------------- We have to distinguish between to different types of websites: Type I: Are websites open to the public which might be interested in our products. This contains some data available to the public, plus some protected contents where only selected propects / customers have access to. Currently, those sites are not SSL-encrypted, however, there is AAA for some content using Form-based login. Type II: Are websites accessible to our external worlwide customers (Life-Insurers) only. Since our clients also might enter data from their customers (i.e. Life-Insurance-clients from primary insurers), data always are confidential, thus those sites are always SSL-encrypted. Setup -------- Our current setup for both types is as follows: - Apache 2.2 in front for static content - Tomcat 5.5 for dynamic content attached to Apache HTTPD via mod_jk - For authorization we are using Apache HTTPD's authorization in combination with mod_auth_cookie_mysql2 (http://home.digithi.de/digithi/dev/mod_auth_cookie_mysql/) AAA works in such a way, that Apache HTTPD is taking the request, checks, if it point to protected content, if so, forwards to a protected Tomcat-hosted JSP. The JSP is utilizing Tomcat's FORM-Login, and after successful login writes a Session-cookie into a MySQL-database (among other stuff). When the next request to a protected content comes to Apache HTTPD, Apache HTTPD checks wether a certain cookie exists and compares it's value with the value stored inside the MySQL-database. If found, it's ok, else it goes back to the Login-Page. As I said before, we have multiple website all hosted on the same servers (behind a Loadbalancer). Role-Based AAA ------------------------ Since some customers do have access to more than one website of ours, we hvae created a role-based system so that once authorized and belonging to multiple roles, they don't have to re-login again thanks to Tomcat's SSO-Valve. We are using session-cookies timing out after a defined period of time. They are also invalidated if the brwoser is closed. Motivation for Setup ---------------------------- We server a lot of static content (html, javascript, pdf), so that we decided to serve this via Apache HTTPD for performance reasons. Since for security reasons we didn't want to use PHP for dynamic content (and since I'm a Java-guy), we opted for JSPs / Servlets for dynamic content. Since I'm into Opensource and I like Apache Group's stuff a lot (and for some other reasons), we opted for Tomcat for the dynamic content. Problems -------------- Most of our users are running IE in various versions. Sometimes, some strange error occurs when instead of dynamic content to be served, the user just sees a "Page cannot be displayed" error-message. We checked our logs (Apache HTTPD, Tomcat), alas, to no avail. However, whene I checked the logs of mod_jk, I found some messages like this one: [Fri Mar 13 13:48:22 2009][0869:0000] [info] jk_handler::mod_jk.c (1971): Aborting connection for worker=wrkr [Fri Mar 13 13:48:44 2009][20858:0000] [info] ajp_process_callback::jk_ajp_common.c (1412): Connection aborted or network problems [Fri Mar 13 13:48:44 2009][20858:0000] [info] ajp_service::jk_ajp_common.c (1761): Receiving from tomcat failed, because of client error without recovery in send loop 0 Besides, it's quite difficult when a Tomcat session times out: This has to be propagated to Apache HTTPD, meaning, the cookie-entry has to be removed from the MySQL-database. Currently we're achieving this with a SessionListener clearing the values from the database once a Session gets destroyed. SSL / Costs ----------------- Actually the costs of the SSL-certs is not such a big issue (we talk about 300€ which is an equivalent for 3 hrs work - this is not the money *I'm* getting but what my company calculates with). It's just the hazzle getting them via our provider, re-authenticate with the SSL-provider and so on. It's simply not a smooth process, and that's why I was looking for an alternate solution. Current Development ------------------------------ I'm curently porting the first few site into a Tomcat-only-environment strctly following the KISS-principle: Keep It Simple, Stupid! I'm testing them now with Tomcat 6 using the APR, thus avoiding all the hazzle with Apache / mod_jk / Tomcat-connectivity, avoiding the hazzle with AAA using mod_auth_cookie2 and so on. Besides, I believe the less components are involved within the serving of a website, the lower any possible security-issue is. Whew, that was quite some post, however, I owed you that one and maybe you guys now have some idea why I'm asking all those questions. Cheers! Gregor -- just because your paranoid, doesn't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
