Return-Path: 
 <users-return-134757-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 72047 invoked from network); 21 Oct 2005 16:14:20 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 21 Oct 2005 16:14:20 -0000
Received: (qmail 43574 invoked by uid 500); 21 Oct 2005 16:14:06 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 43546 invoked by uid 500); 21 Oct 2005 16:14:06 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 43535 invoked by uid 99); 21 Oct 2005 16:14:06 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Oct 2005 09:14:06 -0700
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received-SPF: pass (asf.osuosl.org: local policy)
Received: from [64.49.222.30] (HELO mail.webtuitive.com) (64.49.222.30)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Oct 2005 09:14:03 -0700
Received: from [192.168.1.50] (dsl092-004-182.sfo1.dsl.speakeasy.net
 [66.92.4.182])
	(authenticated bits=0)
	by mail.webtuitive.com (8.12.11/8.12.10) with ESMTP id j9LGDfQM010080
	for <users@tomcat.apache.org>; Fri, 21 Oct 2005 11:13:42 -0500
Message-ID: <4359140B.3080706@webtuitive.com>
Date: Fri, 21 Oct 2005 09:15:07 -0700
From: Hassan Schroeder <hassan@webtuitive.com>
User-Agent: Mozilla Thunderbird 0.9 (X11/20041103)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: SSL and Tomcat - can't secure individula pages
References: <4358F794.6010400@technologist.com>
In-Reply-To: <4358F794.6010400@technologist.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

Greg Brownell wrote:

> My whole site, all pages, are redirected to port 443 - everything is
> secure.  I only wanted the *.htm and the single file login.jsp to use
> https.

> What am I doing wrong? I thought the <web-resource-collection> in
> <security-constraint> was there to identify which pages should be secure?

which pages *must* be secure -- other pages *may* be served securely.

If you are using URLs in your secure *.htm pages that don't specify
the protocol, e.g.,

  <a href="/nonsecure.jsp">go</a>

and that page is accessed via HTTPS, the actual URL is

  https://example.com/nonsecure.jsp

If you want it served as `http://example.com/nonsecure.jsp`, you'll
have to be more explicit about that URL...  :-)

HTH,
-- 
Hassan Schroeder ----------------------------- hassan@webtuitive.com
Webtuitive Design ===  (+1) 408-938-0567   === http://webtuitive.com

                          dream.  code.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org