Thanks for your reply Mark,
I exposed this "Valve + RequestFacade subclassing" scenario to the other
guys on my project and we prefer not to modify Tomcat internals. We are
currently hesitating between introducing a ServletFilter and subclassing
org.springframework.security.securechannel.Sec
Cyrille Le Clerc wrote:
> Thank you for the clarification Mark.
>
>> Depending on where the session is created, you might be able to use a
>> filter to wrap your response and modify the secure attribute of any
>> cookies as they are added to the response.
>
> I am sorry to bother you but I don't
Thank you for the clarification Mark.
> Depending on where the session is created, you might be able to use a
> filter to wrap your response and modify the secure attribute of any
> cookies as they are added to the response.
I am sorry to bother you but I don't see how I could wrap the class
o.a.
Cyrille Le Clerc wrote:
> Thanks very much for the time you spend on my problem Christopher.
>
> I use two connectors : one with secure=true and scheme=http ; another
> with secured=true, scheme=https.
>
>> What is the requirement that scheme=http? You can actually use a
>> (non-secure) HTTP conn
Thanks very much for the time you spend on my problem Christopher.
I use two connectors : one with secure=true and scheme=http ; another
with secured=true, scheme=https.
> What is the requirement that scheme=http? You can actually use a
> (non-secure) HTTP connector and still set scheme=https. Do
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cyrille,
On 6/22/2009 3:50 PM, Cyrille Le Clerc wrote:
> My need is the opposite : I want to have request.secure=true but
> request.scheme=http.
What is the requirement that scheme=http? You can actually use a
(non-secure) HTTP connector and still se
Thanks for your response Christopher,
> > Could we imagine an evolution of Tomcat to generate secure session
> > cookies if "request.scheme == https" rather than on "request.secure ==
> > true" ? I would be very pleased to propose a patch.
>
> Do you have a reason to set request.secure=false wh
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cyrille,
On 6/21/2009 6:52 AM, Cyrille Le Clerc wrote:
>I am interested in using the "secure" attribute of Tomcat
> connectors for non https/ssl requests. However, the "ssl only"
> JSESSIONID cookie mechanism currently relies on "request.secure ==
Hello,
My usecase may have not been clear enough :
The "internal over http connector : secure = true, scheme = http"
doesn't behave has I would like for stateful requests because Tomcat
generates a secure JSESSIONID cookie even if the configured scheme is
"http" rather than "https".
Due to this
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
GF,
GF wrote:
|> I believe if your session starts through HTTPS, the cookie will be
|> marked as secure and it won't be sent if the user switches to non-secure
|> HTTP.
|
| Maybe my question is stupid, but, is it possible to browse a site on
| HTTP a
> I believe if your session starts through HTTPS, the cookie will be
> marked as secure and it won't be sent if the user switches to non-secure
> HTTP.
Maybe my question is stupid, but, is it possible to browse a site on
HTTP and having just the JSESSIONID cookie sent on HTTPS to prevent
session s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
GF,
GF wrote:
| can you give me a link about setting up a secure JSessionID cookie? I
| mean to let it pass over HTTPS and not HTTP.
I believe if your session starts through HTTPS, the cookie will be
marked as secure and it won't be sent if the user
12 matches
Mail list logo
