Yep, Konstantin is right. This is what I do with all of my public pages that I want secured. This means I https ALL pages without exception if I want it to be secure. The net is nasty. You may have performance issues but once your public server is breached you will have more issues. As I said before: JSF is slow. There are benchmarks using JMeter comparing like JSF and JSP pages. Read Peter Lin's work on performance. HTH.
Konstantin Kolinko wrote .. > You cannot and must not show that your page is secure, because it is not. > > The problem is that your page is vulnerable to a man-in-the-middle > attack: there is no guarantee that the text of your web page or of the > javascript files that it is using was not altered by someone while it > was transmitted from the server to your client. > > E.g. someone may implement a script that submits the copy of sensitive > data to some other server, before submitting it through https to your > server. > > The only way to claim that your page is secure is to serve it through https. > > > > 2008/2/1, Dave <[EMAIL PROTECTED]>: > > if a form may contain personal data, it should be summitted using https. > > Also > we need to let user know it is secure by showing a lock and https://.... in > browser > address bar. > > > > sometimes The IE browser shows a warning: the page contains both secure > > and > nonsecure data. what is the meaning? how to avoid the warning? > > > > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
