tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Palmer <>
Subject Re: web.xml question
Date Tue, 29 Nov 2005 19:14:37 GMT
I was planning on doing this by having Apache handle the SSL and using 
its configuration file to differentiate between SSL'd areas of the site 
and non-SSL'd areas. Is this an option or should i rethink this?

Tim Funk wrote:

> I would bet they are not using security constraints as defined in 
> web.xml. I would bet they are using a 3rd party solution implemented 
> as a Servlet Filter or something application server specific to handle 
> this login issue. Notice they do not use JSESSIONID but something 
> called BV_SessionID as parameter in the query string. A quick google 
> search seems to show they use BroadVision.
> -Tim
> Dean Searle wrote:
>> Tim,
>> I'm not an expert with tomcat but how does a site like do
>> it then? I use their site a lot and it runs jsp's and most of the stuff
>> is unsecure (http) but when I get ready to do the actual purchase and
>> log in it is a secure site (https). Is there something that they are
>> doing, possibly masquerading the url or something?
>> Again not an expert, but something I have been interested in for some
>> time myself.
>> Dean 8-)
>> -----Original Message-----
>> From: Tim Funk [] Sent: Tuesday, November 
>> 29, 2005 10:34 AM
>> To: Tomcat Users List
>> Subject: Re: web.xml question
>> Security constraints are only imposed on the incoming URL.
>> Long story short - you'll need to place the entire webapp in SSL. There
>> is no clean way to use declarative statements to force the login to be
>> SSL and the rest of the webapp be nonssl.
>> -Tim 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message