On Mon, Nov 22, 2004 at 08:21:11AM -0800, footh wrote: > On another note, once I'm in a page that is set to use > SSL all relative links within that page continue to > use SSL even though I would rather they be non-SSL. > Is there an easy way to prevent that other than > hardcoding absolute URLs in all the non-SSL links?
nope. that's just how relative links work. The "https://" part is treated no differently than the "www.somewhere.com" portion. > I guess I could set transport-guarantee tags to NONE > for every single non-SSL page. That just seems like a > bit of an administrative hassle as everytime I add a > new page (or rather, folder) I'd have to add the > appropriate transport tag. That won't work. The guarantee is a _minimum_ guarantee. If you really want to switch back to non-SSL after login you need to jump through another explicit redirect. It seems almost like tomcat handles that automatically for you, except that the save request is not available to a http login form if the original request was https. i.e. if I point my browser at "https://foo.com/some_protected_page", then simulate a redirect by going to "http://foo.com/unprotectedlogin.html" and submit the form (which would be "http://foo.com/j_security_check"), it complains about the "time allowed for the login process has been exceeded". However, if the original page is http and the login form is submitted with https then it works fine. That seems like an explicit constraint that tomcat enforces, but I can't find where in the authentication code it does that. Of course, encrypting other requests and not the login page is a pretty stupid thing to do. :) eric --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]