-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Snaglefrac,
Snaglefrac wrote: > Now, when someone logs in they are using an unsecured login screen and there > passwords are sent unencrypted. The solution! HTTPS, no sweat, i have this > working to. The only problem I have is having the https and LDAP security in > one application. Additionally i do not want to have every page locked by > https, only the login screen that get called by the security constraint. Okay, so you want to use regular HTTP for everything except the login page. You just have to make sure that the user has a session before they try to login. > so when a user hits /gigatronic/index.jsp they are asked top login because > of the LDAP real copnfig. The pages used for the login I need in HTTPS. > After a secure login it returns back to a regular http for the > /gigatronic/index.jsp application. Actually, you just need to submit to j_security_check using HTTPS. Everything else can be regular HTTP. > SO how can I use HTTPS for only the j_secutity login portion I specified in > web.xml and enforce LDAP real for the rest of my app without have the whole > app HTTPS. > > I tried specifying the HTTPS for my login but the app would not start. > ex: > <form-login-config> > > <form-login-page>https://www.blah.com/secure/login.jsp</form-login-page> > > <form-error-page>https://www.blah.com/secure/loginerr.jsp</form-error-page> > </form-login-config> > This did not work. Right. Tomcat doesn't do a redirect (or does for some versions and not others... I can't keep it straight). What you need to do is this, in your login.jsp page: <form action="<%= response.encodeURL(request.getRequestURL().replace(0, 4, "https")).toString()) %>"> This will submit your request to Tomcat using HTTPS. I'm not sure, but I believe the original request will be to an HTTP URL if the original request was to a non-secure URL. If not, you can always redirect subsequent requests using a filter or something like that to go back to HTTP. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk0L/sACgkQ9CaO5/Lv0PB3oQCgwlyRwEGRE1EyebCyHt7blqRm ynEAoL9zEa5YQWtm3yiqX74SoM/jPF4q =JvFO -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
