-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chuck,
On 3/10/2009 3:24 PM, Caldarale, Charles R wrote: >> From: Gregor Schneider [mailto:rc4...@googlemail.com] >> Subject: j_security_check & SSL >> >> is there any way to achieve encryption for the >> Login-process without a valid SSL-cert? > > Note that if the login is performed under HTTPS, the generated > session is only for HTTPS; falling back to HTTP will result in use of > a different session object. Just to be clear, it's the session creation that is sensitive to SSL, not the actual login (authentication step). If your session exists and is visible to non-secure communications before authentication, then it will also be so after authentication. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkm6bPoACgkQ9CaO5/Lv0PACKQCfRYLd0qS2v84xckUW0Tpk/y2g +y4AnjJR9ny4mWd7RdBPJjhE8CRS7GXp =Deaf -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org