tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <>
Subject Re: Old Chestnut (http - https) causing some confusion
Date Fri, 29 Jun 2007 18:00:52 GMT
<security-constraint> only works to say I want pages to be encrypted. 
Not the latter.

The typical complaint is a developer wishes to encrypt the login process 
and nothing else. <security-constraint> only guarantees that your pages 
are secure - but does nothing to get you away from ssl.

Of course - the second your session cookie gets transmitted in the clear 
- your session can be hijacked - but its all a matter of tradeoffs. In 
most cases protecting the password is enough. The people who are nuts 
for security cringe at the above.

There have been a few arguments about this in the archives. Before 
anyone else jumps in with the opinion - please first rehash the good 
times in the archives. ;)


Christopher Schultz wrote:
> Hash: SHA1
> Tim,
> Tim Funk wrote:
>> What you'll really want is to ditch the transport guarantee clause in
>> web.xml and create a filter which will be smart enough to force/unforce
>> you from SSL.
> Why do this when the <security-constraint> already allows you to protect
> only certain URL patterns? It seems to me that maintaining less code in
> your application is a good thing.

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message