tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: j_security_check with https
Date Tue, 06 Jan 2009 22:30:38 GMT
Gregor Schneider wrote:
> On Tue, Jan 6, 2009 at 9:13 PM, Diego Armando Gusava
> <diegogusava@gmail.com> wrote:
>> no man, example, email
>>
>> when u login, your username and password will be transport https, but
>> after that, you are in http! u dont need https because, you are only
>> reading messages(emails)
>>
> 
> Then just phrase your url-pattern in your security-constraint-section
> accordingly - should work.

It won't. Tomcat won't let a session created under HTTPS transition to HTTP as
the session ID is effectively the password. If the password needed HTTPS then
the session ID does too.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message