-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pablo,
John Doe wrote: > Of course that is not a Tomcat's job, but if exists a redirection > from http to https I wonder why does not exists a reverse way in the > "declarative security" mechanism provided by the servlet > specification. Oh, I understand what you're saying. But I still disagree. The servlet spec offers a transport guarantee that a particular page will only be available via HTTPS (by setting the transport to CONFIDENTIAL, as you have done). This is an upgrade in service. There is no alternate transport guarantee that states that the request be made "in cleartext", because that's not actually a guarantee. :) It looks like what you want is to forbid the use of HTTPS in a selection of URLs (probably because SSL handshakes are very heavy operations). If that's the case, you will really have to do this manually (or use some kind of outside filter; I am ignorant of any such filters or valves). > But like you point, there are not so many places where a > programmer must resolve this kind of situations. Yeah. It turns out that these situations are usually not that big of a deal to simply do the extra little bit of coding necessary. As others have pointed out, some JSP tag libraries are useful for detecting the "correct" protocol to use, as well as forcing a switch from HTTPS to HTTP. I'm sure similar tools exist for other presentation strategies. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFnQq09CaO5/Lv0PARAgPbAJ983CQEX6GV0x83qXQRX2bBM/BdxgCgmqar EgFHmYVRjvRHmR+CrJmCt+Q= =Mb+c -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]