You check the request protocol for "http" or "https". If it's "http" and the page should be "https" then you redirect them either to a login page or the SSL version of the URL.
In general, you want ALL pages protected by SSL in a given context...you don't want to be switching back and forth, and you don't want to protect only the page that asks for a password. What I've seen done in the past is that people create something like /myapp/jsp and /myapp/protected and /protected has all SSL content. John > -----Original Message----- > From: Cook, Christopher H (IndSys, GE Interlogix) > [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 17, 2002 3:43 PM > To: [EMAIL PROTECTED] > Subject: Selecting which pages to use SSL with > > > The documentation supplied for tomcat that pertains to the > configuration of ssl states - > "indeed a developer can pick and choose which pages require a > secure connection and which do not. For a reasonably busy > site, it is customary to only run certain pages under SSL, > namely those pages where sensitive information could possibly > be exchanged. ... Any pages which absolutely require a > secure connection should check the protocol type associated > with the page request and take the appropriate action of > https is not specified." > > I have SSL set up in my application currently, so that any > page I request can either use https or http. How do restrict > access to some pages using http, while allowing others to use > it? Basically how do I implement the scenario's described in > the above passage? Or where is there documentation on this? > > Thanks, > > Chris > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>