tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Diego Armando Gusava" <diegogus...@gmail.com>
Subject Re: j_security_check with https
Date Tue, 06 Jan 2009 23:07:05 GMT
My question is how to combine the form based authentication, where we use
"jsecuritycheck" , "jusername" etc with https.
As far as I know if we use form based authentication username and
password will be authenticated by the container managed resource
called 'jsecuritycheck". But the data transfer from client browser to
tomcat will be still a plain text. i want to encrypt this and
obviously i need to use https.
So how to combine both  and how tomcat wil help me doping this??

2009/1/6 Mark Thomas <markt@apache.org>:
> Gregor Schneider wrote:
>> On Tue, Jan 6, 2009 at 9:13 PM, Diego Armando Gusava
>> <diegogusava@gmail.com> wrote:
>>> no man, example, email
>>>
>>> when u login, your username and password will be transport https, but
>>> after that, you are in http! u dont need https because, you are only
>>> reading messages(emails)
>>>
>>
>> Then just phrase your url-pattern in your security-constraint-section
>> accordingly - should work.
>
> It won't. Tomcat won't let a session created under HTTPS transition to HTTP as
> the session ID is effectively the password. If the password needed HTTPS then
> the session ID does too.
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message