tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michal Kwiatek" <Michal.Kwia...@cern.ch>
Subject RE: Login over ssl
Date Fri, 12 Nov 2004 12:32:55 GMT
Accourding to servlet specs, you need to require tranport guarantee CONFIDENTIAL or INTEGRAL
(I'm not sure what the difference is, perhaps somebody can clarify this). So try:

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

Hope that helps...

MichaƂ.

> -----Original Message-----
> From: Roland Carlsson [mailto:roland.carlsson@alfa-moving.se] 
> Sent: Friday, November 12, 2004 11:14 AM
> To: TomcatUsers
> Subject: Login over ssl
> 
> Hi!
> 
> I got a problem with securing a login-page. I would like the 
> login-form to be secured with ssl to ensure that the users 
> credentials isn't easially readable. But I have no need to 
> put the rest of my page in ssl-mode.
> 
> I have posted the <security-constraint/> and <login-config/> below.
> It seems like if the <security-constraint> named AQMFiles 02 
> isn't used at all. Atleast all reqeusts that get interupted 
> as the user isn't authenticated is sent to /login.jsp as a  
> non-sll requests and doesn't get redirected to ssl.
> 
> Must I put my whole web-app in ssl-mode to make sure that my 
> users credentials is secure?
> 
> Regards
> Roland Carlsson
> 
> Ps: I apologize for the posting that got the wrong adress 
> (Gothia), I should learn not to talk in the phone and write 
> mail at the same time. :-)
> 
> --------------- part of web.xml----------
> 
> <security-constraint>
>     <display-name>AQMFiles 02</display-name>
>     <web-resource-collection>
>       <url-pattern>/login.jsp</url-pattern>
>       <url-pattern>/error.jsp</url-pattern>
>       <url-pattern>*j_security_check*</url-pattern>
>      </web-resource-collection>
>      <user-data-constraint>
>        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>      </user-data-constraint>
>   </security-constraint>
>   <security-constraint>
>     <display-name>AQMFiles 01</display-name>
>     <web-resource-collection>
>       <url-pattern>/pages/*</url-pattern>
>       <url-pattern>/env/*</url-pattern>
>       <url-pattern>/index_1.jsp</url-pattern>
>      </web-resource-collection>
>      <auth-constraint>
>         <role-name>*</role-name>
>      </auth-constraint>
>      <user-data-constraint>
>        <transport-guarantee>NONE</transport-guarantee>
>      </user-data-constraint>
>   </security-constraint>
>   
>     
>   <login-config>
>    <auth-method>FORM</auth-method>
>    <realm-name>AQMFile login</realm-name>
>    <form-login-config>
>       <form-login-page>/login.jsp</form-login-page>
>       <form-error-page>/error.jsp</form-error-page>
>    </form-login-config>
> </login-config>
> 
> -------------------------------------------
> 
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message