I read this post and have a question...and maybe I'm not understanding
https correctly, but why is your login PAGE secure? I wouldn't care if
someone sees an empty page with a prompt for the username and password. The post should be secure though... In other words... can't you have a
page http://www.example.com/login.jsp post to something like
https://www.example.com/login.do [snipped...]
I'm talking about container-managed security where the form submit is to j_security_check, as per the servlet spec. There isn't much flexibility there. For a secure login, you must post to https://mydomain/myapp/j_security_check and for a non-secure post, to http://mydomain/myapp/j_security_check. You can't mix and match.
Adam
-- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
