RE: Form-based Container Security with SSL

2009-05-12 Thread Martin Gainty
at.apache.org > Subject: Re: Form-based Container Security with SSL > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Guojun, > > On 5/11/2009 5:49 PM, Guojun Zhu wrote: > > Dear Chris, > > > > Thank you very much. What we really want is that th

Re: Form-based Container Security with SSL

2009-05-11 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Guojun, On 5/11/2009 5:49 PM, Guojun Zhu wrote: > Dear Chris, > > Thank you very much. What we really want is that the login > username/password communicates encrypted. Everything else can be in > clear-text. (We also need the log-out, so I canno

Re: Form-based Container Security with SSL

2009-05-11 Thread Guojun Zhu
Dear Chris, Thank you very much. What we really want is that the login username/password communicates encrypted. Everything else can be in clear-text. (We also need the log-out, so I cannot use the digest authentification.) > Showing a non-secure login page isn't a problem, is it? You just n

Re: Form-based Container Security with SSL

2009-05-11 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Guojun, On 5/8/2009 5:27 PM, Guojun Zhu wrote: > What do you mean "You want to ensure a session is created in > non-secure more BEFORE the user submits their credentials."? Session id cookies are created by Tomcat in either "secure" mode (when the s

Re: Form-based Container Security with SSL

2009-05-08 Thread Guojun Zhu
Dear Chris, I am sorry, but I am not sure that I understand what you mean. All your solutions is to modify the login.jsp. But we have already reach there by http unsecurely whenever I try to access any restricted pages. I have set things like this with the form authentication as last post. Am

Re: Form-based Container Security with SSL

2009-05-08 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Guojun, On 5/8/2009 12:22 AM, Guojun Zhu wrote: > Thank you very much. I can get the link redirect. But the tomcat's > container security seems to happen before it. The container's security mechanism will always execute before your code. Keep that

Re: Form-based Container Security with SSL

2009-05-08 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 5/6/2009 10:26 PM, Martin Gainty wrote: > With redirect-prefix, instead of executing baz action's execute() method (by > default it isn't overriden in struts.xml to be something else), [...] What is your obsession with Struts these days? I

Re: Form-based Container Security with SSL

2009-05-07 Thread Guojun Zhu
Dear Chris, Thank you very much. I can get the link redirect. But the tomcat's container security seems to happen before it. Here is the stuff in the web.xml. When I type http://localhost:8080/InformProject/pages/login.jsp, it will redirect to https://localhost:8443/. The browser will ale

RE: Form-based Container Security with SSL

2009-05-06 Thread Martin Gainty
opherschultz.net > To: users@tomcat.apache.org > Subject: Re: Form-based Container Security with SSL > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Guojun, > > On 5/6/2009 3:05 PM, Guojun Zhu wrote: > > We had a small web application on tomcat 5.5. We use to

Re: Form-based Container Security with SSL

2009-05-06 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Guojun, On 5/6/2009 3:05 PM, Guojun Zhu wrote: > We had a small web application on tomcat 5.5. We use tomcat realm > (MD5 digest) with the form-based login. I have a few questions on > this. > > 1. When we use http, does the form-based login page