tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <>
Subject Re: web.xml question
Date Wed, 30 Nov 2005 11:37:31 GMT
I think that can work (if you can ensure the URL flow will adhere to your specs)


Robert Palmer wrote:

> I was planning on doing this by having Apache handle the SSL and using 
> its configuration file to differentiate between SSL'd areas of the site 
> and non-SSL'd areas. Is this an option or should i rethink this?
> Tim Funk wrote:
>> I would bet they are not using security constraints as defined in 
>> web.xml. I would bet they are using a 3rd party solution implemented 
>> as a Servlet Filter or something application server specific to handle 
>> this login issue. Notice they do not use JSESSIONID but something 
>> called BV_SessionID as parameter in the query string. A quick google 
>> search seems to show they use BroadVision.
>> -Tim
>> Dean Searle wrote:
>>> Tim,
>>> I'm not an expert with tomcat but how does a site like do
>>> it then? I use their site a lot and it runs jsp's and most of the stuff
>>> is unsecure (http) but when I get ready to do the actual purchase and
>>> log in it is a secure site (https). Is there something that they are
>>> doing, possibly masquerading the url or something?
>>> Again not an expert, but something I have been interested in for some
>>> time myself.
>>> Dean 8-)
>>> -----Original Message-----
>>> From: Tim Funk [] Sent: Tuesday, November 
>>> 29, 2005 10:34 AM
>>> To: Tomcat Users List
>>> Subject: Re: web.xml question
>>> Security constraints are only imposed on the incoming URL.
>>> Long story short - you'll need to place the entire webapp in SSL. There
>>> is no clean way to use declarative statements to force the login to be
>>> SSL and the rest of the webapp be nonssl.
>>> -Tim 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message