• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Tomcat 5.5 Vs Tomcat 6.0 - Handling SSL with Apache 2.2

 
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Friends,

This question is related to the way tomcat 5.5 and tomcat 6.0 interacts with Apache 2.2 webserver for accepting connections.

We have a 2 web application which when accessed with http/https, should open a Login dialog, where the user provides user id/password and get authenticated by Apache 2.2 Web server using BASIC AUTHENTICATION. Then the authenticated request should be handled by Tomcat Web container.

Now the problem is, the above mentioned flow works perfectly for Web Application deployed on Tomcat 6.0. But it doesnot work for the web application deployed in Tomcat 5.5 and displays error: 403.

Any suggestion/guidelines to resolve this issue, would be really helpful

Thank you,
Mohan
 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't know why Tomcat 5 and Tomcat 6 should be different, there, but I can make some observations about the viability of this technique:

1. BASIC authentication isn't very secure. The userid and password are "encrypted" by one of the most feeble algorithms out there. The only thing that makes BASIC authentication even viable is running it over SSL.

2. About the only way to reliably log out of an app running BASIC authentication is to shut down your browser. I normally have half a dozen different browser tabs open at any given time, so that's not pleasant.

3. The Apache security system is designed to secure Apache apps. It isn't the best fit for Java webapps. For example, it doesn't support role-based access control, and it doesn't enable the J2EE built-in security functions.
 
Mohan Chandrasekaran
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you Tim for providing valuable suggestion on implementing security.

The web applications I am talking about has separate logins controlled by WebApp.

The basic authentication is for access outside of intranet. Because the web-apps are accessed within intranet too.

Thank you,
Mohan
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic