Return-Path: 
 <users-return-134873-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 23397 invoked from network); 24 Oct 2005 23:14:35 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 24 Oct 2005 23:14:35 -0000
Received: (qmail 93977 invoked by uid 500); 24 Oct 2005 23:14:15 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 93951 invoked by uid 500); 24 Oct 2005 23:14:14 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 93940 invoked by uid 99); 24 Oct 2005 23:14:14 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 24 Oct 2005 16:14:14 -0700
X-ASF-Spam-Status: No, hits=0.5 required=10.0
	tests=DNS_FROM_RFC_ABUSE
X-Spam-Check-By: apache.org
Received-SPF: pass (asf.osuosl.org: local policy)
Received: from [207.69.195.65] (HELO pop-scotia.atl.sa.earthlink.net)
 (207.69.195.65)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 24 Oct 2005 16:14:12 -0700
Received: from user-12lmsuv.cable.mindspring.com ([69.91.115.223] helo=paris)
	by pop-scotia.atl.sa.earthlink.net with smtp (Exim 3.36 #10)
	id 1EUBVp-0007Gj-00
	for users@tomcat.apache.org; Mon, 24 Oct 2005 19:13:53 -0400
From: "Rob" <unknown-rider@earthlink.net>
To: "Tomcat Users List" <users@tomcat.apache.org>
Subject: tomcat 5 combined http and https, same session
Date: Mon, 24 Oct 2005 18:13:47 -0500
Message-ID: <LBELIADFFKCLPJEOMDCGOEIFCEAA.unknown-rider@earthlink.net>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
In-Reply-To: 
 <AEF3D568DD1D9E428048C592AA16459702C179DE@USRV-EXCH4.na.uis.unisys.com>
Importance: Normal
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N


Hi All,

I looked through the mail archives as well - past two years.  There's some
interesting info, but nothing that seems to address the issue.  My goal is
to run https for some pages in my webapp, and http for other pages, using
the same session.  It's working where I can redirect from http to https (see
the web.xml security constraint block below), but then I'm in https for all
web pages, and if I type http at the URL, the session goes away.  What I'm
aiming for is a webapp where account info is secure and general web pages
are http, and the session is preserved.

Any thoughts, ideas, comments, quotes, anything?  I've searched pretty well,
I think, and I don't see any responses to this problem.  Is that strange?  I
thought a lot of people would use tomcat for a e-commerce or retail webapp,
where some pages were https and some http using the same session.

help!

thanks,

Rob

    <security-constraint>
       <display-name>Secure Access</display-name>
       <web-resource-collection>
          <web-resource-name>LoginServlet</web-resource-name>
          <web-resource-name>AdminServlet</web-resource-name>
          <url-pattern>/login</url-pattern>
          <url-pattern>/my-account/*</url-pattern>
          <url-pattern>/acct</url-pattern>
          <url-pattern>/admin</url-pattern>
          <url-pattern>/zadmin/*</url-pattern>
       </web-resource-collection>
       <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
     </security-constraint>

-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Sunday, October 23, 2005 4:19 PM
To: Tomcat Users List
Subject: RE: tomcat 5 http/https config


> From: Rob [mailto:unknown-rider@earthlink.net]
> Subject: tomcat 5 http/https config
>
> The problem we're having is switching back to http (and the session
> dropping).

As I recall, a session can be switched to https from http, but not back
- that is considered to be a security hole.  You might want to check the
mail archives, since I believe it has been discussed a couple of times
in the last few months.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org