<security-constraint> only works to say I want pages to be encrypted.
Not the latter.
The typical complaint is a developer wishes to encrypt the login process
and nothing else. <security-constraint> only guarantees that your pages
are secure - but does nothing to get you away from ssl.
Of course - the second your session cookie gets transmitted in the clear
- your session can be hijacked - but its all a matter of tradeoffs. In
most cases protecting the password is enough. The people who are nuts
for security cringe at the above.
There have been a few arguments about this in the archives. Before
anyone else jumps in with the opinion - please first rehash the good
times in the archives. ;)
-Tim
Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tim,
Tim Funk wrote:
What you'll really want is to ditch the transport guarantee clause in
web.xml and create a filter which will be smart enough to force/unforce
you from SSL.
Why do this when the <security-constraint> already allows you to protect
only certain URL patterns? It seems to me that maintaining less code in
your application is a good thing.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
