tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Lin <wool...@gmail.com>
Subject Re: SSL and form-based login
Date Sun, 21 Nov 2004 01:07:44 GMT
the same rule still applies. that's what's just the reality of using
SSL and insuring security. A browser that is ssl compliant actually
should default to https. only way around that is to use a non-ssl
compliant browser.

peter


On Sat, 20 Nov 2004 16:59:31 -0800 (PST), footh <footh@yahoo.com> wrote:
> Through lots of research, I thought I had finally
> figured out how to set up SSL with form-based login.
> However, I still have a couple of outstanding issues.
> 
> SSL seems to be working fine, however, I don't believe
> the login page is using SSL.  The reason being is,
> when I try to hit any other page on the site with SSL,
> my browser invokes the certificate dialog box.
> However, when the form-based login forces the redirect
> to my custom login page, I don't get the certificate
> dialog box.  Here's a snippet the relevant parts of
> web.xml (sorry if the formatting is bad):
> 
> <security-constraint>
>   <web-resource-collection>
>     <web-resource-name>Login pages</web-resource-name>
>     <url-pattern>/login/*</url-pattern>
>   </web-resource-collection>
>   <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>   </user-data-constraint>
> </security-constraint>
> 
> <login-config>
>   <auth-method>FORM</auth-method>
>   <realm-name>Form-Based uthentication</realm-name>
>   <form-login-config>
> 
> <form-login-page>/login/login.jsp</form-login-page>
> 
> <form-error-page>/login/logininvalid.jsp</form-error-page>
>   </form-login-config>
> </login-config>
> 
> Another issue I have is if I have a "protected" page
> that is using SSL, all links in the page default to
> the SSL protocol even though those pages should just
> be standard http.  Might anyone know how to workaround
> this?  I've tried scouring the mailing lists on this
> issue and I've actually found posts saying it is a
> security risk to switch back to http.
> Ex:
> http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg61925.html
> 
> However, all these types of posts seem to be several
> years old.  Is this still a bad idea...to switch from
> https to http?
> 
> Thanks
> JF
> 
> __________________________________
> Do you Yahoo!?
> Meet the all-new My Yahoo! - Try it today!
> http://my.yahoo.com
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
>

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message