tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@joedog.org>
Subject Re: web.xml question
Date Wed, 30 Nov 2005 11:37:31 GMT
I think that can work (if you can ensure the URL flow will adhere to your specs)

-Tim

Robert Palmer wrote:

> I was planning on doing this by having Apache handle the SSL and using 
> its configuration file to differentiate between SSL'd areas of the site 
> and non-SSL'd areas. Is this an option or should i rethink this?
> 
> Tim Funk wrote:
> 
>> I would bet they are not using security constraints as defined in 
>> web.xml. I would bet they are using a 3rd party solution implemented 
>> as a Servlet Filter or something application server specific to handle 
>> this login issue. Notice they do not use JSESSIONID but something 
>> called BV_SessionID as parameter in the query string. A quick google 
>> search seems to show they use BroadVision.
>>
>> -Tim
>>
>> Dean Searle wrote:
>>
>>> Tim,
>>>
>>> I'm not an expert with tomcat but how does a site like samsclub.com do
>>> it then? I use their site a lot and it runs jsp's and most of the stuff
>>> is unsecure (http) but when I get ready to do the actual purchase and
>>> log in it is a secure site (https). Is there something that they are
>>> doing, possibly masquerading the url or something?
>>>
>>> Again not an expert, but something I have been interested in for some
>>> time myself.
>>>
>>> Dean 8-)
>>>
>>> -----Original Message-----
>>> From: Tim Funk [mailto:funkman@joedog.org] Sent: Tuesday, November 
>>> 29, 2005 10:34 AM
>>> To: Tomcat Users List
>>> Subject: Re: web.xml question
>>>
>>> Security constraints are only imposed on the incoming URL.
>>>
>>> Long story short - you'll need to place the entire webapp in SSL. There
>>> is no clean way to use declarative statements to force the login to be
>>> SSL and the rest of the webapp be nonssl.
>>>
>>> -Tim 
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message