If you are using Struts, then the following can help you perform the switching:
http://sourceforge.net/projects/sslext Mark On 25/10/05, Rob <[EMAIL PROTECTED]> wrote: > > Hi All, > > I looked through the mail archives as well - past two years. There's some > interesting info, but nothing that seems to address the issue. My goal is > to run https for some pages in my webapp, and http for other pages, using > the same session. It's working where I can redirect from http to https (see > the web.xml security constraint block below), but then I'm in https for all > web pages, and if I type http at the URL, the session goes away. What I'm > aiming for is a webapp where account info is secure and general web pages > are http, and the session is preserved. > > Any thoughts, ideas, comments, quotes, anything? I've searched pretty well, > I think, and I don't see any responses to this problem. Is that strange? I > thought a lot of people would use tomcat for a e-commerce or retail webapp, > where some pages were https and some http using the same session. > > help! > > thanks, > > Rob > > <security-constraint> > <display-name>Secure Access</display-name> > <web-resource-collection> > <web-resource-name>LoginServlet</web-resource-name> > <web-resource-name>AdminServlet</web-resource-name> > <url-pattern>/login</url-pattern> > <url-pattern>/my-account/*</url-pattern> > <url-pattern>/acct</url-pattern> > <url-pattern>/admin</url-pattern> > <url-pattern>/zadmin/*</url-pattern> > </web-resource-collection> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > -----Original Message----- > From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] > Sent: Sunday, October 23, 2005 4:19 PM > To: Tomcat Users List > Subject: RE: tomcat 5 http/https config > > > > From: Rob [mailto:[EMAIL PROTECTED] > > Subject: tomcat 5 http/https config > > > > The problem we're having is switching back to http (and the session > > dropping). > > As I recall, a session can be switched to https from http, but not back > - that is considered to be a security hole. You might want to check the > mail archives, since I believe it has been discussed a couple of times > in the last few months. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you > received this in error, please contact the sender and delete the e-mail > and its attachments from all computers. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
