Hi Java 1.5.0_10 Tomcat 5.5.17
I've just spent the past couple of hours reading past postings to this list at marc.info The subject I'm interested in is the efficient use of ssl/https. I have managed to get the 'redirection' to https working with the following entry in web.xml (amongst other config type things) <security-constraint> ... <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> The problem, as I'm sure you've guessed by now is that once an account is logged in I want the client to be able to browse the site via http, not https. I know this issue has been around since at least 2004 (this is as far back as I went) The Tomcat Docs at http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.htmlstate <quote> "... Also, while the SSL protocol was designed to be as efficient as securely possible, encryption/decryption is a computationally expensive process from a performance standpoint. It is not strictly necessary to run an entire web application over SSL, and indeed a developer can pick and choose which pages require a secure connection and which do not..." </quote> Marvelous... thing is I've seen various solutions suggested from fronting Tomcat with Apache httpd and using something called modRedirect to writing some sort of filter. Have the experts come to some sort of conclusion as to the best way to 'pick and choose which pages require a secure connection...' given the various security issues that seem to be of concern etc. Many thanks for reading this, I'm sure you're all bored to tears by this subject now. Rgds Duncan
