I was trying to use the "webapps/exmaples/jsp/security/protected" example with SSL but experienced strange effects with different browsers.
I did the following with Tomcat 4.1.12LE (Jboss bundle, but shouldn't matter as tomcat was started standalone): I successfully enabled SSL by uncommenting and modifying server.xml like this: <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="0" scheme="https" secure="true" useURIValidationHack="false"> <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" keystoreFile="C:/jboss/tomcat-4.1.x/bin/jboss.keystore" keystorePass="*****" /> </Connector> I changed the web.xml of the examples application by adding into <security-constraint>: <user-data-constraint> <transport-guarantee>CONFIDENTAL</transport-guarantee> </user-data-constraint> When opening the url: http://localhost:8080/examples/jsp/security/protected I expected an automatic redirect to https://localhost:8443/examples/jsp/security/protected/login.jsp to obey the transport guarantee as specified above. When I try with Mozilla it works like expected. When using IE, I get a popup (because I just use a SSL test certificate) - so far so good, but the redirect fails and IE stalls while loading. If I manually use https://localhost:8443 everything is fine. Obviously only the redirection does not work with IE. Any idea what could be wrong? Did I setup anything wrong or can anyone confirm this problem? Anyhow, also with both Mozilla and Opera I get http errors sometimes: https://localhost:8443/examples/jsp/security/protected/j_security_check pops up a status 400 message: "Invalid direct reference to form login page" and "The requested resource (/examples/jsp/security/protected/j_security_check) is not available." or a status 404 message: "/examples/jsp/security/protected/j_security_check" and "The requested resource (/examples/jsp/security/protected/j_security_check) is not available." These problems occur when hitting the back button (instead in my browser after having successfully logged on user "tomcat". So I logon using login.jsp with a valid user view the index.jsp and hit "back". When I try to submit again I get those errors. What can be done to avoid these problems? I would like to be able to hit "back" and either get to the error.jsp or index.jsp when i try to logon repeatedly instead of that "j_security_check" resource. One more question: Tomcat can handle the automatic redirection with these security constrains, but actually I only need SSL for login purposes. So after automatic SSL login, I'm stuck to https on port 8443 if I don't manually load a http-URL later. But this would require to specify http://host:port somewhere instead of using relative links what I prefer not to make the webapp need to know the server names etc. What is a good practice for SSL-login in general? Also in case I want to use Struts for let's say a E-Commerce like site where you just have to log on or need SSL-security for one single login page. Later I'd like to use http again and would prefer not to hard code host:port into any page. Is it a good idea to let Tomcat do this login stuff with all above issues or should one better code oneself? Thanks! mech -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>