-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chuck and Leo,
On 2/23/2010 4:25 PM, Caldarale, Charles R wrote: >> From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] >> Subject: Question about SSL >> >> "...It is not strictly necessary to run an entire web application over >> SSL, and indeed a developer can pick and choose which pages require a >> secure connection and which do not." >> Where do I configure this? > > Read section 12 of the servlet spec. You need to configure a > <transport-guarantee> of CONFIDENTIAL for the desired URL pattern(s). > This will cause requests over non-secure connections to be redirected to > the secure port. While it may seem like <transport-guarantee> will meet all your needs, we have a lot of folks asking questions on the list about secure-login, but non-secure access to the rest of the webapp. There are arguments both for and against this practice, but there are a couple of things to consider: 1. <transport-guarantee> doesn't apply (I think) to the login page that Tomcat serves, even if you set it. This is because Tomcat does an internal forward from the requested resource (say, /protected.jsp) to your login page. 2. Tomcat doesn't automatically use HTTPS for your call to j_security_check, so make sure that your login form /does/ use HTTPS in it's URL. 3. If you are allowing clients to use cookies, you'll need to make sure that your JSESSIONID cookie is created in non-secure mode, otherwise you'll get a session assigned to you that is only accessible via HTTPS and you'll confuse the hell our of yourself trying to figure out why it's not working. That last one can be a real PITA: if you're looking for secure-auth /only/, then you'll have to design your pages to ensure that your cookies are always in non-secure-mode but that j_security_check does get sent over HTTPS. Hope that helps., - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuEUNMACgkQ9CaO5/Lv0PC65ACeKXZiaDWg7XB11SmwjAO/1BQo TV0AoI67PshphTce5w+c76q2ESLGcnjI =FKxX -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
