[jopr-dev] tomcat and agent security
John Mazzitelli
mazz at redhat.com
Thu Feb 26 13:09:19 EST 2009
I just checked in a third (but commented) Tomcat <Connector>. It can be uncommented by users if they need this capability.
The comments in server.xml tell you when you would might want to do this:
<!-- Provides a secure but un-authenticated https connector for browsers to use.
Uncomment this connector if all of the following are true:
1) the server-to-agent communications is secured via the sslservlet transport
2) the server-to-agent communications always require agents to authenticate themselves with certificates
3) you want to allow users' browsers to access the GUI via the https: protocol
4) you do not want to force users' browsers to authenticate themselves with certificates
-->
Just to be clear, by default, this connector doesn't exist and its port isn't open - out of box this connector will be commented out. You have to explictly turn it on by uncommenting it if you want it.
(BTW: I did test this scenario and it works - you can have two secure connectors where one requires cert auth and the other doesn't)
----- Original Message -----
From: "Heiko W.Rupp" <hwr at redhat.com>
To: "jopr-dev" <jopr-dev at lists.jboss.org>
Sent: Thursday, February 26, 2009 9:32:10 AM GMT -05:00 US/Canada Eastern
Subject: Re: [jopr-dev] tomcat and agent security
Am 25.02.2009 um 21:46 schrieb John Mazzitelli:
>
> I think this is a use-case where users are gonna want to use the
> sslsocket transport so agents can talk to a separate Jboss/Remoting
> port in the server that can perform SSL certificate checking but it
> leaves Tomcat alone so GUI users are not burdened with needing SSL
> certificate in their browsers.
Would an alternative to have 2 connectors with ssl enabled - one for
the agent and the other for the clients?
Or does tomcat have a restriction to 1 connector with ssl?
Heiko
--
Reg. Adresse: Red Hat GmbH, Otto-Hahn-Strasse 20, 85609 Dornach bei
Muenchen
Handelsregister: Amtsgericht Muenchen HRB 153243
Geschaeftsfuehrer: Brendan Lane, Charlie Peters, Michael Cunningham,
Werner Knoblich
_______________________________________________
jopr-dev mailing list
jopr-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jopr-dev
More information about the jopr-dev
mailing list