tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dirk ooms <d...@onesparrow.com>
Subject only https on login form
Date Wed, 05 Jul 2006 12:43:15 GMT
Hi List,

I am using a form-based login in my Tomcat application. My intention was to 
use https on the login form page, but once the user is logged in, http would 
be ok for further interaction (my main concern was not to send the password 
in the clear).

I had hoped to obtain this behavior with the below web.xml excerpt, but with 
this configuration everything happens over http (note that i know how to let 
everything happen over https).

Is there a way to do this or am i missing something?

cheers,
dirk

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Login</web-resource-name>
      <url-pattern>/login.html</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Subscriber</web-resource-name>
      <url-pattern>/subscriberCtrl</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>subscriber</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
      <form-login-page>/login.html</form-login-page>
      <form-error-page>/errorLogin.html</form-error-page>
    </form-login-config>
  </login-config>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message