wood burning stoves*
The moose likes Tomcat and the fly likes Tomcat with ssl Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat with ssl" Watch "Tomcat with ssl" New topic
Author

Tomcat with ssl

dhanya s pillai s
Greenhorn

Joined: Dec 10, 2007
Posts: 4
i have made my tomcat secure i.e it now runs on https://localhost.
But i can download my contents without authenticating whether my client is the right person or not.I dont want this .The whole concept of ssl goes for a toss.i believe , put the client authentication certificate in cacert file right.
I also have a doubt where ceritificate in needed also for client and is yes where should we keep this

Please help me out
Thankx
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

Encryption is not the same as authentication. You now have secure pages so that they cannot be eavesdropped during transmission.

If you want people to log in you need to manage this separately, see 'Authentication and Authorisation'

Dave
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

It sounds like you are confusing encryption with 'certificate authentication'. With encryption you only need a single certificate on the server and nothing on the browser.
dhanya s pillai s
Greenhorn

Joined: Dec 10, 2007
Posts: 4
Thankx David for answering my question

yes you are right i have some doubts.Let me explain my problem

When i tried to download files from secure server it gave me a ssl handshake exception

so what i did is changed my java code

URLConnection conn = url.openConnection();
HttpsURLConnection connection = (HttpsURLConnection) conn;

Now when i try to access secure server it works fine. All the request and response is also handled well

What i believe(its my assumption, correct me if i am wrong) is that we would require 2 certificates one server has one client should have,which is kept at the client side .I tried to keep this in the cacert file in the security folder.

The reason is I am using Tomcat for testing purpose.But when i go to verisign certified sign this code may fail.

Please can you solve my doubts .

Thankx again
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

The encryption is initiated by the server and the server's certificate is used to negotiate a secure connection with the client. While you are right that there is information that needs to be shared by the client and server, this isn't 'held' on the client, it is created for the current SSL conversation during the handshake.

I have simplified a bit, but hopefully I'm still correct.
 
Consider Paul's rocket mass heater.
 
subject: Tomcat with ssl