tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: SSL and form-based login
Date Mon, 22 Nov 2004 23:20:14 GMT
On Mon, Nov 22, 2004 at 08:21:11AM -0800, footh wrote:
> On another note, once I'm in a page that is set to use
> SSL all relative links within that page continue to
> use SSL even though I would rather they be non-SSL. 
> Is there an easy way to prevent that other than
> hardcoding absolute URLs in all the non-SSL links?  

	nope.  that's just how relative links work.
The "https://" part is treated no differently than the 
"" portion.

> I guess I could set transport-guarantee tags to NONE
> for every single non-SSL page.  That just seems like a
> bit of an administrative hassle as everytime I add a
> new page (or rather, folder) I'd have to add the
> appropriate transport tag.

	That won't work.  The guarantee is a _minimum_ guarantee.
If you really want to switch back to non-SSL after login you
need to jump through another explicit redirect.

	It seems almost like tomcat handles that automatically for
you, except that the save request is not available to a http
login form if the original request was https.  i.e. if I point my
browser at "", then simulate a
redirect by going to "" and submit
the form (which would be ""),
it complains about the "time allowed for the login process has been exceeded".
	However, if the original page is http and the login form is submitted
with https then it works fine.  That seems like an explicit constraint that
tomcat enforces, but I can't find where in the authentication code it does
that.  Of course, encrypting other requests and not the login page is a
pretty stupid thing to do. :)


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message