tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From footh <fo...@yahoo.com>
Subject Re: SSL and form-based login
Date Tue, 23 Nov 2004 21:20:16 GMT

--- erh@swapsimple.com wrote:
> 
> > I guess I could set transport-guarantee tags to
> NONE
> > for every single non-SSL page.  That just seems
> like a
> > bit of an administrative hassle as everytime I add
> a
> > new page (or rather, folder) I'd have to add the
> > appropriate transport tag.
> 
> 	That won't work.  The guarantee is a _minimum_
> guarantee.
> If you really want to switch back to non-SSL after
> login you
> need to jump through another explicit redirect.
> 
> 	It seems almost like tomcat handles that
> automatically for
> you, except that the save request is not available
> to a http
> login form if the original request was https.  i.e.
> if I point my
> browser at "https://foo.com/some_protected_page",
> then simulate a
> redirect by going to
> "http://foo.com/unprotectedlogin.html" and submit
> the form (which would be
> "http://foo.com/j_security_check"),
> it complains about the "time allowed for the login
> process has been exceeded".
> 	However, if the original page is http and the login
> form is submitted
> with https then it works fine.  That seems like an
> explicit constraint that
> tomcat enforces, but I can't find where in the
> authentication code it does
> that.  Of course, encrypting other requests and not
> the login page is a
> pretty stupid thing to do. :)

You kind of lost me here...sorry if I'm being dense.

So you are saying the only way to have a link within
an SSL page go to non-SSL is either to hardcode the
entire URL in the link or have all the links flow
through a page that forces a redirect to the requested
URL with non-SSL?

Now that I think about it, most (if not all) of my
non-SSL links are in include files.  So, it is easy
enough to just place the full link in there.  What
bugs me is I've seen other sites with relative links
on SSL pages that go to the non-SSL version (even when
you hover over the link and your browser claims it is
going to https).  Using full links will be a pain too
for maintaining production and development
environments.  Ugh...


		
__________________________________ 
Do you Yahoo!? 
The all-new My Yahoo! - Get yours free! 
http://my.yahoo.com 
 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message