Most of the application will be over SSL for external clients. There is one part where the clients may upload or download a huge file over HTTP which I don't want to go through SSL. I am thinking uploading/downloading these huge files over SSL will create lot of stress on the server.
-----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, December 08, 2010 5:14 PM To: Tomcat Users List Subject: Re: enforcing SSL only for external clients -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 André, On 12/8/2010 5:01 PM, André Warnier wrote: > Aggarwal, Ajay wrote: >> For external clients, I want to enforce SSL only on part of my >> application (certain URLs) not all. >> >> I will look into URL Rewrite as suggested by Nicholas. > > Mixing SSL and non-SSL parts within the same application is - in my > humble view - a recipe for a lot of complications and user inconvenience. > (Such as : some browsers will pop up a message to the user, when > switching from HTTP to HTTPS and vice-versa) +1 Other considerations: - - If you want to protect user credentials, you must use SSL during authentication - - If you authenticate using SSL, you will likely lose your session when dropping down to non-secure The best advice is to simply use SSL if you care about the security of your app and your users. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk0AAzcACgkQ9CaO5/Lv0PCwFQCeMvpGXtjcoMO1SvoDHC6je2rB C7wAoKuKtaDJnlIdwpYyzDhi+Fi07XCO =Im2l -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org