I have a Windows Server 2008 R2 Box with IIS 7.5 and Apache Tomcat 5.5. JSP traffic is routed from IIS to Tomcat via the AJP Connector version 1.3. This connector uses an isapi filter in IIS to identify the traffic to route to Tomcat.
I want to setup HTTPS for just the Tomcat portion, but it doesn't seem that simple, given the configuration above. So far, it appears that I have to apply SSL to IIS, encrypting all traffic, and there doesn't appear to be a way around it, which is why I am reaching out here for a solution that I may have missed.
The link here has a section which states IIS usually has to have SSL enabled, but that usually word leaves some wiggle room for an alternative solution, perhaps.
Does there exist a method for which I can only apply SSL to Tomcat and leave IIS alone? Or, how can I setup SSL for only particular pages (i.e. .JSP)?
Thank you very much.
Update
I got HTTPS setup on Tomcat, without touching IIS. So, now HTTP and HTTPS are both active. I also can filter which pages should be enforced to HTTPS, via the url-pattern, in the web.xml file. Now the problem is how do I enforce certain pages to HTTP? For example, I'm at a login page, which is HTTP. I submit the page and it authenticates over an HTTPS connection. Upon successful authentication, it should return to an HTTP home page (i.e. index.jsp). How can this be done?
Thank you.
When the request comes into IIS and is passed to Tomcat the HTTP transmission terminates at IIS. The ISAPI handler that IIS uses transforms the request and uses AJP to communicate with Tomcat. There is no HTTP traffic exchanged between Tomcat and IIS.
AJP stands for the Apache JServ Protocol. Its an actual protocol versus the hypertext transfer protocol (HTTP). With that being said there is no SSL communication required over AJP typically. Either way this thread has a good discussion of the topic. However, much of the discussion is based around using an HTTPS forwarder to Tomcat instead of AJP. You might have to look into IIS ARR to accomplish that.