Hello Dave, this is not exactly the answer you are looking for but I have been concerned with public web security for a long time and I have finally resigned myself to the fact that if you are using login pages that process user ids and passwords and other confidential info that man-in-the-middle and any type of network traffic sniffing is extremely dangerous. I run several Java apps publicly and all are 100% https/SSL all the time. It is a performance hit but I just up the hardware to match: multi-core Linux boxes with smp and 4+ gigs mem and other virtualization tricks as afforded by XEN and even Tomcat itself (6.0). Also please note: JBoss is very good at multi-instance web application servers on multiple ports with only a single machine install. If you have very serious Java web application concerns and full-time https encryption is warrented then you might give the folks at: www.azulsystems.com a call. HTH, David.
Dave wrote .. > Hi Chris, > > I moved the <user-data-constraint> inside the <web-resource-collection> as > the > following: > > <security-constraint> > <web-resource-collection> > <web-resource-name>Automatic SLL > Forwarding</web-resource-name> > <url-pattern>/login.html</url-pattern> > <user-data-constraint> > > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </web-resource-collection> > </security-constraint> > > But http://www.mydomain.com/login.html did not redirect to secure URL. > > As you mentioned, If I start as http, then redirect to https when login, > and > keep https after login. Does that mean https is using the http session? Is > there > any security hole? If a man-in-the-middle knows the session id from http and > the > same session id is used by https? > > Thanks for help. > Dave > > Christopher Schultz <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Dave, > > Dave wrote: > | I tried the method, it worked. > | But when I tried to protect login page only, > | > | > | protected > pages > | /login.jsp > | > | > | restarted tomcat, and went to http://www.mydomain.com > | > | it was redirected to secure URL. It should stay insecure until going > to login page. > | > | anything I was missing? > > Is that your entire configuration? If you've > told Tomcat that /* should be CONFIDENTIAL, then all traffic will be > redirected to HTTPS. > > Move the CONFIDENTIAL part into the that > represents your login page, and leave the rest of the app non-CONFIDENTIAL. > > Remember that Tomcat will not automatically go from HTTPS to HTTP, so > you'll have to make that happen yourself. Also remember that if your > session id cookie was created in HTTPS mode, your browser will not send > it back to the server when you're in HTTP mode. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkerHyAACgkQ9CaO5/Lv0PClgACfRQm66ro0lctDvrEnA0paYC0Y > ziIAn35jRaXBkefSfaz6l1cn9fOokmfe > =0RZ/ > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > --------------------------------- > Looking for last minute shopping deals? Find them fast with Yahoo! Search. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]