I was planning on doing this by having Apache handle the SSL and using
its configuration file to differentiate between SSL'd areas of the site
and non-SSL'd areas. Is this an option or should i rethink this?
Tim Funk wrote:
I would bet they are not using security constraints as defined in
web.xml. I would bet they are using a 3rd party solution implemented
as a Servlet Filter or something application server specific to handle
this login issue. Notice they do not use JSESSIONID but something
called BV_SessionID as parameter in the query string. A quick google
search seems to show they use BroadVision.
-Tim
Dean Searle wrote:
Tim,
I'm not an expert with tomcat but how does a site like samsclub.com do
it then? I use their site a lot and it runs jsp's and most of the stuff
is unsecure (http) but when I get ready to do the actual purchase and
log in it is a secure site (https). Is there something that they are
doing, possibly masquerading the url or something?
Again not an expert, but something I have been interested in for some
time myself.
Dean 8-)
-----Original Message-----
From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Tuesday, November
29, 2005 10:34 AM
To: Tomcat Users List
Subject: Re: web.xml question
Security constraints are only imposed on the incoming URL.
Long story short - you'll need to place the entire webapp in SSL. There
is no clean way to use declarative statements to force the login to be
SSL and the rest of the webapp be nonssl.
-Tim
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]