-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 André,
On 12/8/2010 5:01 PM, André Warnier wrote: > Aggarwal, Ajay wrote: >> For external clients, I want to enforce SSL only on part of my >> application (certain URLs) not all. >> >> I will look into URL Rewrite as suggested by Nicholas. > > Mixing SSL and non-SSL parts within the same application is - in my > humble view - a recipe for a lot of complications and user inconvenience. > (Such as : some browsers will pop up a message to the user, when > switching from HTTP to HTTPS and vice-versa) +1 Other considerations: - - If you want to protect user credentials, you must use SSL during authentication - - If you authenticate using SSL, you will likely lose your session when dropping down to non-secure The best advice is to simply use SSL if you care about the security of your app and your users. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk0AAzcACgkQ9CaO5/Lv0PCwFQCeMvpGXtjcoMO1SvoDHC6je2rB C7wAoKuKtaDJnlIdwpYyzDhi+Fi07XCO =Im2l -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org