• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Tomcat with ssl

 
dhanya s pillai s
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i have made my tomcat secure i.e it now runs on https://localhost.
But i can download my contents without authenticating whether my client is the right person or not.I dont want this .The whole concept of ssl goes for a toss.i believe , put the client authentication certificate in cacert file right.
I also have a doubt where ceritificate in needed also for client and is yes where should we keep this

Please help me out
Thankx
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Encryption is not the same as authentication. You now have secure pages so that they cannot be eavesdropped during transmission.

If you want people to log in you need to manage this separately, see 'Authentication and Authorisation'

Dave
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It sounds like you are confusing encryption with 'certificate authentication'. With encryption you only need a single certificate on the server and nothing on the browser.
 
dhanya s pillai s
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thankx David for answering my question

yes you are right i have some doubts.Let me explain my problem

When i tried to download files from secure server it gave me a ssl handshake exception

so what i did is changed my java code

URLConnection conn = url.openConnection();
HttpsURLConnection connection = (HttpsURLConnection) conn;

Now when i try to access secure server it works fine. All the request and response is also handled well

What i believe(its my assumption, correct me if i am wrong) is that we would require 2 certificates one server has one client should have,which is kept at the client side .I tried to keep this in the cacert file in the security folder.

The reason is I am using Tomcat for testing purpose.But when i go to verisign certified sign this code may fail.

Please can you solve my doubts .

Thankx again
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The encryption is initiated by the server and the server's certificate is used to negotiate a secure connection with the client. While you are right that there is information that needs to be shared by the client and server, this isn't 'held' on the client, it is created for the current SSL conversation during the handshake.

I have simplified a bit, but hopefully I'm still correct.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic