-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gregor,
On 3/13/2009 1:58 PM, Gregor Schneider wrote:
> So will I then be able to access the HttpSession-object created when
> inside HTTPS (login-page) when I'm querying it from within a JSP
> served via plain HTTP?
No, the session will be created i
Chris,
On Fri, Mar 13, 2009 at 5:14 PM, Christopher Schultz
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Gregor,
>
> On 3/13/2009 11:42 AM, Gregor Schneider wrote:
>> So would following scenario work?
>>
>> - login using form-based login via https
>>
>> - when successful:
>> Ht
Hi André,
first: Please forgive me my late answer also to your PM, however, I
was really busy here so that I didn't find any time to answer in an
appropriate (aka detailed) manner.
So here we go:
Customers
When talking about customers, I'm actually talking about our staff
from t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gregor,
On 3/13/2009 11:42 AM, Gregor Schneider wrote:
> So would following scenario work?
>
> - login using form-based login via https
>
> - when successful:
>HttpSession session = request.getSession();
>// guess that shoudln't happen
>
Chris,
On Fri, Mar 13, 2009 at 3:26 PM, Christopher Schultz
wrote:
>
> Just to be clear, it's the session creation that is sensitive to SSL,
> not the actual login (authentication step). If your session exists and
> is visible to non-secure communications before authentication, then it
> will als
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
André,
On 3/13/2009 10:38 AM, André Warnier wrote:
> Unless I am mistaken, I don't think that using HTTPS in order to protect
> the user-id/password from eavesdropping by some miscreant, you
> necessarily have to have a Verisign certificate for each s
Hi guys. I'm following this loosely, along with some other threads.
There is another one going on right now which also talks about
authentication, hijacking JSESSIONID etc..
Gregor, what is not very clear to me, and maybe you want to do a wrapup,
is what exactly you are - and are not - trying
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chuck,
On 3/10/2009 3:24 PM, Caldarale, Charles R wrote:
>> From: Gregor Schneider [mailto:rc4...@googlemail.com]
>> Subject: j_security_check & SSL
>>
>> is there any way to achieve encryption for the
>> Logi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gregor,
On 3/10/2009 5:44 PM, Gregor Schneider wrote:
> Mark,
>
> On Tue, Mar 10, 2009 at 8:23 PM, Mark Thomas wrote:
>>
>> Ditch FORM auth, use DIGEST.
>>
> I'm afraid I don't see how to combine DIGEST with a Login-form - and
> that's a customer re
Mark,
On Tue, Mar 10, 2009 at 8:23 PM, Mark Thomas wrote:
>
> Ditch FORM auth, use DIGEST.
>
I'm afraid I don't see how to combine DIGEST with a Login-form - and
that's a customer request.
I know that SecurityFilter is quite a handy tool, however, that
doesn't support Tomcat's SSO-functionality
> From: Gregor Schneider [mailto:rc4...@googlemail.com]
> Subject: j_security_check & SSL
>
> is there any way to achieve encryption for the
> Login-process without a valid SSL-cert?
We normally use a self-signed certificate. That does pop up a browser message
to that
Gregor Schneider wrote:
> And another one:
>
> AFAIK, when using Form-based Authentication, the parameters for
> j_security_check are send in a readable manner over the wire, thus
> prone for an attack.
Correct.
> Therefore, it is recommended to use SSL-encription for the Form-Loginpage.
Correct.
And another one:
AFAIK, when using Form-based Authentication, the parameters for
j_security_check are send in a readable manner over the wire, thus
prone for an attack.
Therefore, it is recommended to use SSL-encription for the Form-Loginpage.
However, that means that one has to buy one of those
13 matches
Mail list logo
