Cummins College wrote:
Hi,
Actually we are designing a security layer over our web app. We want to give
the user an option of choosing between http or https on login. Hence the
need of changing from http to https or vice-versa at runtime.
I have the impression that you are going about this in a complicated way
(and one which in my opinion would never work anyway). Let me suggest a
setup which should not require switching any Connectors or settings
thereof :
- set up two separate versions of your webapp (say webapps/ourapp and
webapps/ourapp-secure). As far as I know, they can share exactly the
same code and just differ by the context name and the content of their
WEB-INF/web.xml.
- modify the web.xml of the "secure" version to make HTTPS mandatory for
that one
- set up two Connectors, one HTTP and one HTTPS.
- when users try to access the application, they will initially get a
login page. Make that page normally submit to the "unsecure" webapp
over HTTP, but offer a button on it leading to the secure version of the
app under HTTPS. This button is just a link to
https://yourserver.company.com/ourapp-secure.
When they click on it, they will get the login page again, but this time
they are (and will remain) in the HTTPS side of things.
With a little bit of Javascript inventiveness in the login page, I am
sure that there must be a way to submit the login to either the secure
or non-secure version of the application, without need for the browser
to reload the page.
Now the basic questions still remains : given a choice between a secure
and a non-secure session, and an identical application afterward, why
would a user choose an unsecure session ? because he feels compassion
for the poor hacker trying to break in ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
