tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roland Carlsson <roland.carls...@alfa-moving.se>
Subject Login over ssl
Date Fri, 12 Nov 2004 10:13:50 GMT
Hi!

I got a problem with securing a login-page. I would like the login-form to
be secured with ssl to ensure that the users credentials isn't easially
readable. But I have no need to put the rest of my page in ssl-mode.

I have posted the <security-constraint/> and <login-config/> below.
It seems like if the <security-constraint> named AQMFiles 02 isn't used at
all. Atleast all reqeusts that get interupted as the user isn't
authenticated is sent to /login.jsp as a  non-sll requests and doesn't get
redirected to ssl.

Must I put my whole web-app in ssl-mode to make sure that my users
credentials is secure?

Regards
Roland Carlsson

Ps: I apologize for the posting that got the wrong adress (Gothia), I should
learn not to talk in the phone and write mail at the same time. :-)

--------------- part of web.xml----------

<security-constraint>
    <display-name>AQMFiles 02</display-name>
    <web-resource-collection>
      <url-pattern>/login.jsp</url-pattern>
      <url-pattern>/error.jsp</url-pattern>
      <url-pattern>*j_security_check*</url-pattern>
     </web-resource-collection>
     <user-data-constraint>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
  </security-constraint>
  <security-constraint>
    <display-name>AQMFiles 01</display-name>
    <web-resource-collection>
      <url-pattern>/pages/*</url-pattern>
      <url-pattern>/env/*</url-pattern>
      <url-pattern>/index_1.jsp</url-pattern>
     </web-resource-collection>
     <auth-constraint>
        <role-name>*</role-name>
     </auth-constraint>
     <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
     </user-data-constraint>
  </security-constraint>
  
    
  <login-config>
   <auth-method>FORM</auth-method>
   <realm-name>AQMFile login</realm-name>
   <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/error.jsp</form-error-page>
   </form-login-config>
</login-config>

-------------------------------------------






---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message