tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <>
Subject Re: web.xml question
Date Tue, 29 Nov 2005 18:22:53 GMT
I would bet they are not using security constraints as defined in web.xml. I 
would bet they are using a 3rd party solution implemented as a Servlet Filter 
or something application server specific to handle this login issue. Notice 
they do not use JSESSIONID but something called BV_SessionID as parameter in 
the query string. A quick google search seems to show they use BroadVision.


Dean Searle wrote:

> Tim,
> I'm not an expert with tomcat but how does a site like do
> it then? I use their site a lot and it runs jsp's and most of the stuff
> is unsecure (http) but when I get ready to do the actual purchase and
> log in it is a secure site (https). Is there something that they are
> doing, possibly masquerading the url or something?
> Again not an expert, but something I have been interested in for some
> time myself.
> Dean 8-)
> -----Original Message-----
> From: Tim Funk [] 
> Sent: Tuesday, November 29, 2005 10:34 AM
> To: Tomcat Users List
> Subject: Re: web.xml question
> Security constraints are only imposed on the incoming URL.
> Long story short - you'll need to place the entire webapp in SSL. There
> is no clean way to use declarative statements to force the login to be
> SSL and the rest of the webapp be nonssl.
> -Tim 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message