Gregor Schneider wrote: > Hi there, > > I'm just wondering one thing: > > When using formbased authentication within Tomcat aka > j-security_check, the credentials are sent over the wire. > > No problem when using SSL, however, when using a simple HTTP-request, > I figure that this scenario might be a security-issue.
For 99.9% of use case yes, this is a security issue. > Does anybody have a suggestion how to make such a login safe without > having to install an SSL-certificate? No. > How are you handling this? Is everybody using SSL at least for authentication? You should be using SSL for authentication and all following access to secured resources since the session ID needs to be protected as well. > Appreciate your comments on this! DIGEST is secure and doesn't need SSL although I don't see it discussed much here. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
