tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From QM <>
Subject Re: Tomcat Security Constraints
Date Thu, 08 Apr 2004 16:49:07 GMT
On Thu, Apr 08, 2004 at 06:36:16PM +0200, Malcolm Warren wrote:
: Surely the authorization should be requested in all places and at all 
: times, whereever the request is coming from, even if from an include in an 
: unprotected page?

Clearly not, if it's going through. ;)

My understanding of the spec is that the security constraints are for
the originally-requested URI only.  

It's up to the developers to make sure content doesn't get <include>'d
or forward()'d to the wrong place.

: It has happened that I forget to type https:// and type http:// instead.
: So if a nasty, mean person is listening in, he can see my password 
: unencrypted, right?


: How can I prevent this?

Use all SSL, all the time. -and I'm not being facetious there.  If the
data is that sensitive, why not?

Other than that, I believe there are auth restraints in web.xml that
require SSL auth.  I'd be more specific, but I'm deep into a C++ project
right today so my servlet spec knowledge is a little hazy.

btw, what's wrong with form auth?  I don't recall it requiring that much
extra programming.



software  --
tech news --

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message