Duong BaTien wrote:
First, thanks for an extra help.
No problem... I hope I can help further :)
The whole idea is to use SSL for confidential pages such as logon, change username / password, edit profile with confidential data. Other time some resources may just be protected by roles. The ideal situation is to switch between SSL and Non-SSL using proper configuration on stand-alone tomcat (not with tomcat and apache front end).
So it is within the same webapp... I think Craig raised a valid point in that case... once the connection isn't secured, a would-be hacker can play some games by sniffing the wire. If security is important enough to encrypt certain pages, I would wonder if they really all should be encrypted. Let's move beyond that though because if that's your requirement than that's what you have to pull off :)
The issue with standalone tomcat is that once the user is login under SSL, all connections including public resources not protected by web.xml after the SSL will be in SSL under the same application.
I don't know what the spec says in this regard... this could be a by design mechanism, or it could be a bug in Tomcat. It might be worth researching though... you may be trying to fight something that is actually working as it is supposed to.
I did that but the same issue of serving public resource with SSL still persist after the SSL connection. Note: I just found out that i did something wrong so i still have to qualify this result(?).
When you say "public resource", what does that mean? Do you mean an unconstrained resource?
Because i have not been able to switch between ssl (not for the session id but for Confidential data) and non-ssl connection, i work out the second plan to use 2 web applications under the same tomcat host and use tomcat SingleSignOn to co-ordinate user sessions under the 2 web apps: 1 for SSL and 1 for non SSL.
Just a shot in the dark, but what if you define a constraint on your UNPROTECTED resources and define the transport guarantee as NONE? It sounds like the user will always pass through a secured page first, so they would have a session established and be authenticated to a user realm, so I *think* it will work... I wonder if that will force it to a non-SSL state though?
That is what i hope to get some help. The issue has nothing to do with shale. I am sure that some one has done this successfully with standalone tomcat. I appreciate any help. I ask this list under Shale because under the scenario as explained below that i need 2 web apps, i want to use shale for both.
Certainly asking this on the Tomcat list would probably get you some further help... There may be some folks that that already know the ins and outs of Tomcat specifically better than I do.
Yes, this is what i expect. But the reality is that the non-protected resources NOT under <security-constraint> are served by ssl once ssl is used, at least as i see it and also reported by another user in tomcat user list under standalone tomcat 5.5.9.
Interesting... That *sounds* like a bug, but again, I'd be interested to know what the spec says. Might be exactly what *should* happen. But if you can, give my suggestion a try... Could be a simple fix :)
Yes, i know and did that under pure html for testing. I ask for Jsf because if i have to go to the route of having 2 web applications: 1 for ssl connection and 1 for non-ssl connection, then i want to further explore if i can use shale for both rather than ssl application for just simple workaround.
Gotcha. Let's see if we can't get it working the way you expected though, and the way I would have expected it too... we might both learn something here :)
-- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
