tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rob" <unknown-ri...@earthlink.net>
Subject tomcat 5 combined http and https, same session
Date Mon, 24 Oct 2005 23:13:47 GMT

Hi All,

I looked through the mail archives as well - past two years.  There's some
interesting info, but nothing that seems to address the issue.  My goal is
to run https for some pages in my webapp, and http for other pages, using
the same session.  It's working where I can redirect from http to https (see
the web.xml security constraint block below), but then I'm in https for all
web pages, and if I type http at the URL, the session goes away.  What I'm
aiming for is a webapp where account info is secure and general web pages
are http, and the session is preserved.

Any thoughts, ideas, comments, quotes, anything?  I've searched pretty well,
I think, and I don't see any responses to this problem.  Is that strange?  I
thought a lot of people would use tomcat for a e-commerce or retail webapp,
where some pages were https and some http using the same session.

help!

thanks,

Rob

    <security-constraint>
       <display-name>Secure Access</display-name>
       <web-resource-collection>
          <web-resource-name>LoginServlet</web-resource-name>
          <web-resource-name>AdminServlet</web-resource-name>
          <url-pattern>/login</url-pattern>
          <url-pattern>/my-account/*</url-pattern>
          <url-pattern>/acct</url-pattern>
          <url-pattern>/admin</url-pattern>
          <url-pattern>/zadmin/*</url-pattern>
       </web-resource-collection>
       <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
     </security-constraint>

-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Sunday, October 23, 2005 4:19 PM
To: Tomcat Users List
Subject: RE: tomcat 5 http/https config


> From: Rob [mailto:unknown-rider@earthlink.net]
> Subject: tomcat 5 http/https config
>
> The problem we're having is switching back to http (and the session
> dropping).

As I recall, a session can be switched to https from http, but not back
- that is considered to be a security hole.  You might want to check the
mail archives, since I believe it has been discussed a couple of times
in the last few months.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message