1 Reply Latest reply on May 3, 2012 9:52 AM by vphanibhushanreddy

    How does JBOSS know a connection is secure

    ewren

      I refer to the Jboss documentation regarding setting up jboss with a http server to support ssl:

       

      "It is important to note that configuring JBoss Web to take advantage of secure sockets is usually only necessary when running it as a stand-alone web server.  When running JBoss Web primarily as a Servlet/JSP container behind another web server, such as Apache or Microsoft IIS, it is usually necessary to configure the primary web server to handle the SSL connections from users. Typically, this server will negotiate all SSL-related functionality, then pass on any requests destined for the JBoss Web container only after decrypting those requests.  Likewise, JBoss Web will return cleartext responses, that will be encrypted before being returned to the user's browser.  In this environment, JBoss Web knows that communications between the primary web server and the client are taking place over a secure connection (because your application needs to be able to ask about this), but it does not participate in the encryption or decryption itself."

       

      My question is, how does JBOSS know that the communication between the client and the HTTP server is secure?

       

      We have a scenario where a new loadbalacner has been put in place in front of Apache that is now going to take care of the ssl offloading, and all communications between the loadbalancer and apache and on to tomcat will be unencrypted.

       

      The issue is that we ha ve several web applications on several jboss instances that are configured to require confidential transport like below:

       

      <user-data-constraint>

                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>

              </user-data-constraint>

       

      What happens is that if ssl offloading occurs in the load balancer when the requests reach the web application jboss attempts to redirect to the secure port 8443, which we do not want to happen.

       

      So when apache handles the ssl how does jboss know that the connection is secure, and is something I can mirror when the ssl is being handled further upstream by a load balancer? Ideally I would rather not have to redeploy all these applications

       

      Many thanks

        • 1. Re: How does JBOSS know a connection is secure
          vphanibhushanreddy

          JBoss doesn't need to know the connection is secure or not, but when it comes to configuring with SSL, then it accepts the requests only on certains ports. For example, http protocol on port 80, where as https runs on 443 unless explicitly changed. So when one would like to send a request using http/https the data will be communicated to the respective ports.