DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23766>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23766 cannot configure SSL for form-based authentication ------- Additional Comments From [EMAIL PROTECTED] 2003-10-14 23:55 ------- Right. Now I understand. You want to protect the login form and only the login form with SSL. Hmmm. Tricky. You are correct, the 'Login pages' constraint in my example is unnecessary. That's what you get for copying stuff verbatim from the web without thinking/checking it ;) It isn't a case of this functionality being dropped in TC5, more one of the spec now being specific about what should happen if elements of the security constraint are not present. This has closed the loop-hole in the spec you have been making use of. I have had a look at the spec and I don't think there is a way to do what you want just with web.xml as the login form uses the user-data constraint of the requested page. As I see it you have three options: - Use SSL for everything. Simple to implement. Potential performance hit. - Authenticate in the clear. Increases security risk. Might be acceptable in some circumstances. - Try to force http/https as required through explicit URLs. Messy. Difficult to maintain. Wrecks portability of webapp. Anyway, with regards to the original bug tomcat 5 behaviour is as per the spec and Remy's resolution of INVALID is correct. I suggest that any further discussion of this topic should be on tomcat-user. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
