> From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] > > If you're going to switch from https->http, you are totally wasting your > time messing with https in the first place. It buys you nothing except a > *perception* that you are more secure -- that is not the reality.
You keep repeating this over and over as if it's some sort of Absolute Truth. It's not. As long as you require reauthentication whenever you make the transition to the secure (https) portions of your webapp, there is nothing magically insecure about sending your users back to plain old http when they're navigating the boring parts. It's not rocket science, and people build webapps that do this all the time. Just not with Tomcat. Jeff Schnitzer -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>