Hi All,
I looked through the mail archives as well - past two years. There's some
interesting info, but nothing that seems to address the issue. My goal is
to run https for some pages in my webapp, and http for other pages, using
the same session. It's working where I can redirect from http to https (see
the web.xml security constraint block below), but then I'm in https for all
web pages, and if I type http at the URL, the session goes away. What I'm
aiming for is a webapp where account info is secure and general web pages
are http, and the session is preserved.
Any thoughts, ideas, comments, quotes, anything? I've searched pretty well,
I think, and I don't see any responses to this problem. Is that strange? I
thought a lot of people would use tomcat for a e-commerce or retail webapp,
where some pages were https and some http using the same session.
help!
thanks,
Rob
<security-constraint>
<display-name>Secure Access</display-name>
<web-resource-collection>
<web-resource-name>LoginServlet</web-resource-name>
<web-resource-name>AdminServlet</web-resource-name>
<url-pattern>/login</url-pattern>
<url-pattern>/my-account/*</url-pattern>
<url-pattern>/acct</url-pattern>
<url-pattern>/admin</url-pattern>
<url-pattern>/zadmin/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
-----Original Message-----
From: Caldarale, Charles R [mailto:[EMAIL PROTECTED]
Sent: Sunday, October 23, 2005 4:19 PM
To: Tomcat Users List
Subject: RE: tomcat 5 http/https config
> From: Rob [mailto:[EMAIL PROTECTED]
> Subject: tomcat 5 http/https config
>
> The problem we're having is switching back to http (and the session
> dropping).
As I recall, a session can be switched to https from http, but not back
- that is considered to be a security hole. You might want to check the
mail archives, since I believe it has been discussed a couple of times
in the last few months.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
