Josh Gooding wrote:
Update:
So after re-re-reading the docs, since TC is not my standalone webserver, I
should configure Apache (httpd) for SSL. That seems to be what I am
reading.
Yes.
Client -> SSL -> Apache -> Ap/To Connector -> non-SSL -> Tomcat
(e.g. mod_jk) AJP Connector
The above is assuming that you would want all accesses which eventually
go to Tomcat, to be under SSL from the client point of view.
The idea is : SSL creates an overhead (encryption). If the link between
Apache and Tomcat is secure (such as, they both run on the same host, or
they run on separate hosts, but both inside of your secure network),
then you do not want to have an additional overhead by
encrypting/decrypting the communications between Apache and Tomcat.
Second point of interest :
if, in the Tomcat <Connector> which accepts the requests from Apache,
you set the attribute "tomcatAuthentication=false", then Tomcat will
"believe" the user-id it gets from Apache, as being already
authenticated by Apache, and will use it within Tomcat as the user-id.
Now you have thus moved the authentication issue back to Apache.
Let's forget SSL for a minute.
Under Apache, you want to protect access to some or all areas of the
server (including the requests which you are going to forward to
Tomcat), in such a way that the user must be authenticated to access
these areas.
There are different methods under Apache to force the user to
authenticate. If you want to do it via your own login page though, then
you will have to find an Apache add-on module which allows you to do
that, because it is not built-in.
This, you should enquire about on the Apache httpd user's list.
Let's now re-add SSL.
In addition to the above, you would like the login dialog (login page
and client response to that login page) to happen under SSL, and the
rest of the conversation not.
That is not so easy as it may sound however.
So, when you enquire about a login page authentication method (on the
Apache httpd user's forum), you should make sure that you specify this
requirement clearly.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
