You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by dirk ooms <di...@onesparrow.com> on 2006/07/05 14:43:15 UTC
only https on login form
Hi List,
I am using a form-based login in my Tomcat application. My intention was to
use https on the login form page, but once the user is logged in, http would
be ok for further interaction (my main concern was not to send the password
in the clear).
I had hoped to obtain this behavior with the below web.xml excerpt, but with
this configuration everything happens over http (note that i know how to let
everything happen over https).
Is there a way to do this or am i missing something?
cheers,
dirk
<security-constraint>
<web-resource-collection>
<web-resource-name>Login</web-resource-name>
<url-pattern>/login.html</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Subscriber</web-resource-name>
<url-pattern>/subscriberCtrl</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>subscriber</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/errorLogin.html</form-error-page>
</form-login-config>
</login-config>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: only https on login form
Posted by dirk ooms <di...@onesparrow.com>.
Mark,
Thanks for your answer. So is it common practice to keep the complete session
encrypted even if one only desires encrypted authentication?
cheers,
dirk
On Thursday 06 July 2006 03:01, Mark Thomas wrote:
> dirk ooms wrote:
> > Is there a way to do this or am i missing something?
>
> Not without writing some custom code. Your first security-constraint
> will be ignored unless the user directly requests the login page
> (which will give a different error).
>
> Mark
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: only https on login form
Posted by Mark Thomas <ma...@apache.org>.
dirk ooms wrote:
> Is there a way to do this or am i missing something?
Not without writing some custom code. Your first security-constraint
will be ignored unless the user directly requests the login page
(which will give a different error).
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org