I've implemented a sample web application which implements the common use of Form Based Login: if the user tries to access a protected resource and is not authenticated yet, he receives a login form. After authentification he gains access to the protected resource. So far everything is allright and my application behaves as expected (with Tomcat 4b1). To make the transmission of username/password secure, I'd like to restrain access to the login form so that it can be accessed only via SSL. But this is the *only thing I'd like to secure with SSL, everything else should be accessible via http. My deployment descriptor is attached. My PROBLEM is now that Tomcat doesn't switch between http and https respectively. If the initial access to the protected resource is via http, also the login form is accessed via http, *although I required secure access in the deployment descriptor. If I access the login form via https://sample.org/login.html a secure connection is established, but j_security_check sends me nowhere. Am I missing something? Why does Tomcat not switch automatically? Can I switch manually? -martin ps: Sorry if this had been on the list, but I wasn't able to find something like this in the (hardly usable) archive. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <web-app> <!-- Define a Security Constraint on the Login Page --> <security-constraint> <web-resource-collection> <web-resource-name>Login Page</web-resource-name> <url-pattern>/login.html</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <!-- Define a Security Constraint on the protected area --> <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/protected/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint> <!-- Define the Login Configuration for this Application --> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/login-error.html</form-error-page> </form-login-config> </login-config> </web-app> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]