And another one: AFAIK, when using Form-based Authentication, the parameters for j_security_check are send in a readable manner over the wire, thus prone for an attack.
Therefore, it is recommended to use SSL-encription for the Form-Loginpage. However, that means that one has to buy one of those quite expensive SSL-certs. Since those pages actually don't need SSL at all except for the Login-process, is there any way to achieve encryption for the Login-process without a valid SSL-cert? Your suggestions very welcome Rgds Gregor -- just because your paranoid, doesn't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org