Tomcat 7 GWT应用SSL配置

Question

I am working on gwt project which is hosted on tomcat 7 right now I am using private ssl on my own tomcat server. I use following settings to apply ssl in server.xml .

 <Connector port="12004" protocol="HTTP/1.1" 
           connectionTimeout="20000" 
           redirectPort="8443" />
 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" keystoreFile= "/home/ssl/keystore.jks" keystorePass="PASSWORD"/>

  <Host name="myapp.com" appBase="/home/jvm/apache-tomcat-7.0.35/domains/myapp.com" unpackWARs="true" autoDeploy="true"   xmlValidation="false" xmlNamespaceAware="false">
    <Alias>www.myapp.com</Alias>
  </Host>

This works properly but I think this is not good with perfomece. because all the compiled gwt codes and image and css also encrypted with ssl which is according to me not required. There should only data calls to server should encrypted. so how can I do this is there any way to put fillter in ssl so I can speed up my app. or any other way to do this.? If I am in wrong way please suggest me the best practice of using SSL with GWT app on tomcat. Thanks.

Answer 1

If you have your servlets (eg GWT-RPC, RequestFactory, ...) on HTTPS, then you will have to serve your HTML page also from HTTPS (due to the Same Origin Policy ).

However, you can serve your JavaScript, CSS, ... files from HTTP. Just make the links in your HTML page point to the HTTP version of your JS/...-Files, and make sure to compile the GWT code with the cross site (xsiframe) linker:

<add-linker name="xsiframe"/>

The little problem that will arise, however, is that the user's browser will warn, that the site is encrypted, but includes unsafe resources. This doesn't look very professional (and actually, it is a relatively high security risk), but on the other hand, many (even established) sites still use this approach.