tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <>
Subject Re: https --> http session problem
Date Mon, 17 Nov 2003 23:24:29 GMT
On 11/17/2003 11:58 PM Kevin Williams wrote:
> I read this post and have a question...and maybe I'm not understanding
> https correctly, but why is your login PAGE secure?  I wouldn't care if
> someone sees an empty page with a prompt for the username and password. 
> The post should be secure though...  In other words... can't you have a
> page post to something like
> [snipped...]

I'm talking about container-managed security where the form submit is to 
j_security_check, as per the servlet spec. There isn't much flexibility 
there. For a secure login, you must post to 
https://mydomain/myapp/j_security_check and for a non-secure post, to 
http://mydomain/myapp/j_security_check. You can't mix and match.


struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message