You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Roland Carlsson <ro...@alfa-moving.se> on 2004/11/12 11:13:50 UTC
Login over ssl
Hi!
I got a problem with securing a login-page. I would like the login-form to
be secured with ssl to ensure that the users credentials isn't easially
readable. But I have no need to put the rest of my page in ssl-mode.
I have posted the <security-constraint/> and <login-config/> below.
It seems like if the <security-constraint> named AQMFiles 02 isn't used at
all. Atleast all reqeusts that get interupted as the user isn't
authenticated is sent to /login.jsp as a non-sll requests and doesn't get
redirected to ssl.
Must I put my whole web-app in ssl-mode to make sure that my users
credentials is secure?
Regards
Roland Carlsson
Ps: I apologize for the posting that got the wrong adress (Gothia), I should
learn not to talk in the phone and write mail at the same time. :-)
--------------- part of web.xml----------
<security-constraint>
<display-name>AQMFiles 02</display-name>
<web-resource-collection>
<url-pattern>/login.jsp</url-pattern>
<url-pattern>/error.jsp</url-pattern>
<url-pattern>*j_security_check*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>AQMFiles 01</display-name>
<web-resource-collection>
<url-pattern>/pages/*</url-pattern>
<url-pattern>/env/*</url-pattern>
<url-pattern>/index_1.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>AQMFile login</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
-------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org