Hi List,
I am using a form-based login in my Tomcat application. My intention was to
use https on the login form page, but once the user is logged in, http would
be ok for further interaction (my main concern was not to send the password
in the clear).
I had hoped to obtain this behavior with the below web.xml excerpt, but with
this configuration everything happens over http (note that i know how to let
everything happen over https).
Is there a way to do this or am i missing something?
cheers,
dirk
<security-constraint>
<web-resource-collection>
<web-resource-name>Login</web-resource-name>
<url-pattern>/login.html</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Subscriber</web-resource-name>
<url-pattern>/subscriberCtrl</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>subscriber</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/errorLogin.html</form-error-page>
</form-login-config>
</login-config>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
