On Tue, Jul 20, 2004 at 12:08:01PM -0400, Manni Wood wrote: > Along with the ability for your back-end servlets to get a correct > value from ServletRequest.isSecure() depending on whether or not > Apache was originally contacted with HTTP vs HTTPS?
Personally, I always use Apache to authenticate such things directly before allowing anything to execute. By allowing the script to authenticate it, the thing is already running and I'm already prone to whatever some scripter's idea of secure programming is - so there's hardly a point. It's much simpler to just not proxy if the originating request wasn't SSL. But if it's really neccessary that it be conditional, use an X- header, or a query string :-) -- Colm MacCárthaigh Public Key: [EMAIL PROTECTED]