tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From footh <fo...@yahoo.com>
Subject SSL and form-based login
Date Sun, 21 Nov 2004 00:59:31 GMT
Through lots of research, I thought I had finally
figured out how to set up SSL with form-based login. 
However, I still have a couple of outstanding issues.

SSL seems to be working fine, however, I don't believe
the login page is using SSL.  The reason being is,
when I try to hit any other page on the site with SSL,
my browser invokes the certificate dialog box. 
However, when the form-based login forces the redirect
to my custom login page, I don't get the certificate
dialog box.  Here's a snippet the relevant parts of
web.xml (sorry if the formatting is bad):

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Login pages</web-resource-name>
    <url-pattern>/login/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

<login-config>
  <auth-method>FORM</auth-method>
  <realm-name>Form-Based uthentication</realm-name>
  <form-login-config>
   
<form-login-page>/login/login.jsp</form-login-page>
   
<form-error-page>/login/logininvalid.jsp</form-error-page>
  </form-login-config>
</login-config>

Another issue I have is if I have a "protected" page
that is using SSL, all links in the page default to
the SSL protocol even though those pages should just
be standard http.  Might anyone know how to workaround
this?  I've tried scouring the mailing lists on this
issue and I've actually found posts saying it is a
security risk to switch back to http.  
Ex:
http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg61925.html

However, all these types of posts seem to be several
years old.  Is this still a bad idea...to switch from
https to http?

Thanks
JF


		
__________________________________ 
Do you Yahoo!? 
Meet the all-new My Yahoo! - Try it today! 
http://my.yahoo.com 
 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message