Moley Harey wrote:
Hello folks,
I have a set of web services installed in Tomcat 6.0.26 that I would like to
access using HTTPs, I have following the instructions in Tomcat web side to
set up JSSE support and now I can access the web services using SSH.
My question is what do I have to do in my Java client-side classes to work
with HTTPs requests from Tomcat? Do I have to accept somehow the certificate
provided by Tomcat in my Java classes? Well, I'm totally newbie in these
security issues :-/
Only because you mention that you are a total newbie, and because I am myself not far
above that level, some beginning pointers :
It helps to give things their correct name (or acronym), so as to be able to find the
correct documentation and understand their relationship.
SSL is "Secure Socket Layer". (Google : SSL RFC)
SSH is an acronym for "Secure Shell" (Google : SSH RFC)
HTTP is an acronym for "HyperText Transport Protocol". (Google : HTTP RFC)
HTTPS (with a big S) is an acronym for "HTTP over SSL". (Google : HTTPS RFC)
So you are not accessing the web services over SSH, you are accessing your web services
over HTTPS, which itself "lives" above an SSL connection, which itself lives above a TCP
connection, which itself lives above an IP link (which itself lives over an Ethernet link
(probably) etc..).
And on top of it all, you have the application (both at the client side, and at the server
side).
Schematically :
Client application Server application
Client "container" (?) (e.g. a JVM) Server container (e.g. JVM +
Tomcat)
Client O.S. Server OS
Client SSL layer (optional) Server SSL layer (optional)
Client OS TCP/IP layer Server OS TCP/IP layer
Client-side Ethernet layer Server-side Ethernet layer
Client-side hardware layer <--------------> Server-side hardware layer
When the client side application sends something to the server-side application, whatever
data is sent goes through all the layers on the client side, then over the physical
connection, then through all the layers on the server side up to the server application.
The encryption/decryption, if any, takes place at the SSL layer level,
automatically.
So basically, to answer our question, you do not /have/ to do something special at the
application level. The container and the OS take care of the interface, so that your
application can just use the standard "read" and "write" and "open" and "close" and
request.getParameters() calls, no matter if the connection uses an SSL layer or not.
But you /can/ make use of some of the SSL-specific things, if you want.
For example, the server-side application setup /could/ tell the container that it will
only accept requests that come over a secure channel, and only if they come from a client
identified as "X" or "Y".
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
