Hello Dave, in the future reply with more info and you will get better help. I
will put an example at the bottom. I'm an old-school JSP guy and not a JSF guy
but I understand that JSF files still end in (dot).jsp? If I'm right then the
rules should apply where a security constraint is defined.
You cannot and must not show that your page is secure, because it is not.
The problem is that your page is vulnerable to a man-in-the-middle
attack: there is no guarantee that the text of your web page or of the
javascript files that it is using was not altered by someone while it
was transmitted
Yep, Konstantin is right. This is what I do with all of my public pages that I
want secured. This means I https ALL pages without exception if I want it to be
secure. The net is nasty. You may have performance issues but once your public
server is breached you will have more issues. As I said
For jsf page (myfaces), some data need to go through SSL such as bank
information.
For better performance, other pages(or forms) can use http.
h:form ... /h:form
h:form ... /h:form
if a form may contain personal data, it should be summitted using https. Also
we need to let
