tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Regarding Connector in tomcat 6
Date Thu, 25 Feb 2010 09:00:36 GMT
Cummins College wrote:
> Hi,
> 
> Actually we are designing a security layer over our web app. We want to give
> the user an option of choosing between http or https on login. Hence the
> need of changing from http to https or vice-versa at runtime.
> 
I have the impression that you are going about this in a complicated way 
(and one which in my opinion would never work anyway).  Let me suggest a 
setup which should not require switching any Connectors or settings 
thereof :
- set up two separate versions of your webapp (say webapps/ourapp and 
webapps/ourapp-secure).  As far as I know, they can share exactly the 
same code and just differ by the context name and the content of their 
WEB-INF/web.xml.
- modify the web.xml of the "secure" version to make HTTPS mandatory for 
that one
- set up two Connectors, one HTTP and one HTTPS.
- when users try to access the application, they will initially get a 
login page.  Make that page normally submit to the "unsecure" webapp 
over HTTP, but offer a button on it leading to the secure version of the 
app under HTTPS.  This button is just a link to 
https://yourserver.company.com/ourapp-secure.
When they click on it, they will get the login page again, but this time 
they are (and will remain) in the HTTPS side of things.
With a little bit of Javascript inventiveness in the login page, I am 
sure that there must be a way to submit the login to either the secure 
or non-secure version of the application, without need for the browser 
to reload the page.

Now the basic questions still remains : given a choice between a secure 
and a non-secure session, and an identical application afterward, why 
would a user choose an unsecure session ? because he feels compassion 
for the poor hacker trying to break in ?


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message