On 15 Jan 2010, at 14:36, Rod Widdowson wrote:
>> i have a vague memory of ian young saying that the way the uk
>> federation dos signing means it is advisable to front tomcat with
>> apache. I could be wrong though as my vague memories are not reliable.
>
> Ian can (and will!) rebut me here but I'd imagine that this was before we
> developed the code which made it possible to deal with arbitrary signed
> certs in tomcat.
My memory is even vaguer than Cal's, but I suspect you're right about this. In pre-2.x days, if you used Tomcat on its own you needed to stick needles in your eyes... no, I mean, keep updating Tomcat's trust store on a regular basis. Fronting with Apache rather counter-intuitively allowed you to bypass Tomcat's trust handling and let the IdP take care of it. Post-2.x, this is possible even in Tomcat-only deployments and makes that setup very viable.
So I'd say use Apache if it's what you know, but ignore it if it would just add complication for you.
-- Ian
|