Friday, June 21, 2002 07:39 AM
Here is an excerpt from the Tomcat documentation:
It is important to note that configuring Tomcat to take
advantage of secure sockets is usually only necessary when
running it as a stand-alone web server. When running
Tomcat primarily as a Servlet/JSP container behind
another web server, such as Apache or Microsoft IIS, it
is usually necessary to configure the primary web
server to handle the SSL connections from users.
Typically, this server will negotiate all SSL-related
functionality, then pass on any requests destined for
the Tomcat container only after decrypting those
requests. Likewise, Tomcat will return cleartext
responses, that will be encrypted before being returned
to the user's browser. In this environment, Tomcat
knows that communications between the primary web
server and the client are taking place over a secure
connection (because your application needs to be able
to ask about this), but it does not participate in the
encryption or decryption itself.
Although communication between Apache and Tomcat is not
encrypted, since they are normally behind a firewall,
that shouldn't create a problem...