iis security: We have a servlet that is served by Tomcat. IIS is employed to redirect ot
Tomcat via AJP. IIS is also SSL enabled as our data is sensistive.

I am setting IIS to use SSL encryption on the default website. I have a
redirector that forwards request to Tomcat

I wish to call a jsp in Tomcat and pass SSL encrypted data. BUT, to start
the SSL handshake off, I am making a jsp request with the data I wish to be
SSL encrypted.

My question is

If I call a jsp from a browser and pass it some parameters that need to be
sent encrypted, do the parameters get SSL encrypted BEFORE they are sent, or
are they sent clear text, then the SSL Handshake, then all other data sent
is encrypted?

If you make the following request from the browser:

POST https://www.yourserver.com/redirected/default.jsp?sensitiveinfo=data

Then both the FORM entity body as well as sensitiveinfo=data will be
encrypted on the initial request. The server will need to complete the SSL
handshake to even retrieve any of that data from the request. This is how
SSL works.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
We have a servlet that is served by Tomcat. IIS is employed to redirect ot
Tomcat via AJP. IIS is also SSL enabled as our data is sensistive.

I am setting IIS to use SSL encryption on the default website. I have a
redirector that forwards request to Tomcat

I wish to call a jsp in Tomcat and pass SSL encrypted data. BUT, to start
the SSL handshake off, I am making a jsp request with the data I wish to be
SSL encrypted.

My question is

If I call a jsp from a browser and pass it some parameters that need to be
sent encrypted, do the parameters get SSL encrypted BEFORE they are sent, or
are they sent clear text, then the SSL Handshake, then all other data sent
is encrypted?