tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Palmer <rob...@greetin.gs>
Subject Re: web.xml question
Date Tue, 29 Nov 2005 19:14:37 GMT
I was planning on doing this by having Apache handle the SSL and using 
its configuration file to differentiate between SSL'd areas of the site 
and non-SSL'd areas. Is this an option or should i rethink this?

Tim Funk wrote:

> I would bet they are not using security constraints as defined in 
> web.xml. I would bet they are using a 3rd party solution implemented 
> as a Servlet Filter or something application server specific to handle 
> this login issue. Notice they do not use JSESSIONID but something 
> called BV_SessionID as parameter in the query string. A quick google 
> search seems to show they use BroadVision.
>
> -Tim
>
> Dean Searle wrote:
>
>> Tim,
>>
>> I'm not an expert with tomcat but how does a site like samsclub.com do
>> it then? I use their site a lot and it runs jsp's and most of the stuff
>> is unsecure (http) but when I get ready to do the actual purchase and
>> log in it is a secure site (https). Is there something that they are
>> doing, possibly masquerading the url or something?
>>
>> Again not an expert, but something I have been interested in for some
>> time myself.
>>
>> Dean 8-)
>>
>> -----Original Message-----
>> From: Tim Funk [mailto:funkman@joedog.org] Sent: Tuesday, November 
>> 29, 2005 10:34 AM
>> To: Tomcat Users List
>> Subject: Re: web.xml question
>>
>> Security constraints are only imposed on the incoming URL.
>>
>> Long story short - you'll need to place the entire webapp in SSL. There
>> is no clean way to use declarative statements to force the login to be
>> SSL and the rest of the webapp be nonssl.
>>
>> -Tim 
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message