how to setting up SSL for a specific page

[is_maximum <mn...@gmail.com>]

hello all

when I set up the SSL in tomcat all my pages will be secure (https) but as
I've seen in many web sites only login page is secure. how can I secure only
pages that contains confidential information and not all the pages?

I am using Apache Tomcat 5.5

thank you in advance
-- 
View this message in context: http://www.nabble.com/how-to-setting-up-SSL-for-a-specific-page-tf4135638.html#a11761971
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: how to setting up SSL for a specific page

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: is_maximum [mailto:mnrz57@gmail.com] 
> Subject: RE: how to setting up SSL for a specific page
> 
> I need only login page to be secured not all the pages after that

This is a harder problem, since switching back to HTTP after
authenticating via HTTPS opens a security hole.  However, you may be
able to use this with good effect:
http://securityfilter.sourceforge.net/

For background, take a look at these threads:
http://marc.info/?l=tomcat-user&m=118313590123430&w=2
http://marc.info/?l=tomcat-user&m=117515290507605&w=2
http://marc.info/?l=tomcat-user&m=117010975112868&w=2


 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: how to setting up SSL for a specific page

[is_maximum <mn...@gmail.com>]

Caldarale, Charles R wrote:
> 
> Read section 12 of the servlet spec.  Use a <url-pattern> in conjunction
> with the <transport-guarantee> that covers only the login page.
> 
>  - Chuck

Thank you Charles, 
I've read the servlet spec, but my problem is I specified /login.jsp as
url-pattern in deployment descriptor and before the user reach that page
everything is normal but when the page is going to display the http will
change to https and it's right. the problem is after login every page is
secure as well, and even if I remove the "s" from https it won't work.

I need only login page to be secured not all the pages after that

-- 
View this message in context: http://www.nabble.com/how-to-setting-up-SSL-for-a-specific-page-tf4135638.html#a11941375
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: how to setting up SSL for a specific page

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: is_maximum [mailto:mnrz57@gmail.com] 
> Subject: how to setting up SSL for a specific page
> 
> how can I secure only pages that contains confidential 
> information and not all the pages?

Read section 12 of the servlet spec.  Use a <url-pattern> in conjunction
with the <transport-guarantee> that covers only the login page.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org