tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <ahardy.str...@cyberspaceroad.com>
Subject Re: https --> http session problem
Date Mon, 17 Nov 2003 23:24:29 GMT
On 11/17/2003 11:58 PM Kevin Williams wrote:
> I read this post and have a question...and maybe I'm not understanding
> https correctly, but why is your login PAGE secure?  I wouldn't care if
> someone sees an empty page with a prompt for the username and password. 
> The post should be secure though...  In other words... can't you have a
> page http://www.example.com/login.jsp post to something like
> https://www.example.com/login.do [snipped...]

I'm talking about container-managed security where the form submit is to 
j_security_check, as per the servlet spec. There isn't much flexibility 
there. For a secure login, you must post to 
https://mydomain/myapp/j_security_check and for a non-secure post, to 
http://mydomain/myapp/j_security_check. You can't mix and match.

Adam

-- 
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message