tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@joedog.org>
Subject Re: Old Chestnut (http - https) causing some confusion
Date Fri, 29 Jun 2007 18:00:52 GMT
<security-constraint> only works to say I want pages to be encrypted. 
Not the latter.

The typical complaint is a developer wishes to encrypt the login process 
and nothing else. <security-constraint> only guarantees that your pages 
are secure - but does nothing to get you away from ssl.

Of course - the second your session cookie gets transmitted in the clear 
- your session can be hijacked - but its all a matter of tradeoffs. In 
most cases protecting the password is enough. The people who are nuts 
for security cringe at the above.

There have been a few arguments about this in the archives. Before 
anyone else jumps in with the opinion - please first rehash the good 
times in the archives. ;)

-Tim

Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Tim,
> 
> Tim Funk wrote:
>> What you'll really want is to ditch the transport guarantee clause in
>> web.xml and create a filter which will be smart enough to force/unforce
>> you from SSL.
> 
> Why do this when the <security-constraint> already allows you to protect
> only certain URL patterns? It seems to me that maintaining less code in
> your application is a good thing.
>  


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message