"orm Based Authentication has the same lack of security as Basic Authentication since the user password is transmitted as plain text and the target server is not authenticated. Again additional protection can alleviate some of these concerns: a secure transport mechanism (HTTPS)."
i want " secure transport mechanism (HTTPS)" how can i do it? 2009/1/6 Diego Armando Gusava <diegogus...@gmail.com>: > let me explain > > when i try to access mySecurePath for example, tomcat show me a login > page with https but after that i dont need for example be with https, > because i only need to send protected username and password. > > i want to only need login.jsp with https!! > > > > 2009/1/6 Pid <p...@pidster.com>: >> Diego Armando Gusava wrote: >>> i dont know how to request j_security_check on https! >>> >>> i attemped http://wiki.apache.org/tomcat/SSLWithFORMFallback but didnt work >> >> I think the above attempts to find an SSL cert, but falls back to FORM >> auth. Which isn't perhaps what you want? >> >>> <login-config> >>> <!--<auth-method>FORM</auth-method>--> >>> <form-login-config> >>> <form-login-page>/login.do</form-login-page> >>> >>> <form-error-page>/login/loginError.jsp</form-error-page> >>> </form-login-config> >>> </login-config> >> >> Set <transport-guarantee>CONFIDENTIAL</transport-guarantee> in the >> security constraint section, as below. Ensure that you have an SSL >> enabled connector and that the redirect port on the normal connector >> matches the SSL port. >> >> <security-constraint> >> <web-resource-collection> >> <web-resource-name>Protected Area</web-resource-name> >> >> <url-pattern>/mySecurePath/</url-pattern> >> >> <http-method>GET</http-method> >> ... >> <http-method>POST</http-method> >> </web-resource-collection> >> <auth-constraint> >> <role-name>rolename</role-name> >> </auth-constraint> >> <user-data-constraint> >> <transport-guarantee>CONFIDENTIAL</transport-guarantee> >> </user-data-constraint> >> </security-constraint> >> >> p >> >> >>> tomcat redirect to Http! >>> >>> cheers >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
