HAVENS,PETER (HP-Cupertino,ex3) wrote: > I am using form based authentication on my Tomcat 4.0.4 server and I am > trying to figure out how to set up a security constraint that would apply > only to the login page. My global web.xml has a security constraint that > points to a login.jsp page as the form-login-page. As I understand it, the > global web.xml can only have one security-constraint. What I want to do is > configure this login.jsp page to be served up via HTTPS only. This way > users will not be submitting password as plain text. > > I know about using the <user-data-constraint> <transport-guarantee>, but I > do not want to require SSL for all pages, just the login page. > > Is this possible? >
I don't know whether this is possible - I tried for a while, thinking like you that it was sufficient to protect the login page, until I Saw The Light. If you only protected the login page, then although the user's password would not be sent in clear, the session id on subsequent pages would be. Since a hacker only needs the session id to masquerade as your logged-in user, you MUST encrypt the entire session after login. This is what the servlet spec mandates, and what Tomcat does. Martin -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>