My question is how to combine the form based authentication, where we use "jsecuritycheck" , "jusername" etc with https. As far as I know if we use form based authentication username and password will be authenticated by the container managed resource called 'jsecuritycheck". But the data transfer from client browser to tomcat will be still a plain text. i want to encrypt this and obviously i need to use https. So how to combine both and how tomcat wil help me doping this??
2009/1/6 Mark Thomas <ma...@apache.org>: > Gregor Schneider wrote: >> On Tue, Jan 6, 2009 at 9:13 PM, Diego Armando Gusava >> <diegogus...@gmail.com> wrote: >>> no man, example, email >>> >>> when u login, your username and password will be transport https, but >>> after that, you are in http! u dont need https because, you are only >>> reading messages(emails) >>> >> >> Then just phrase your url-pattern in your security-constraint-section >> accordingly - should work. > > It won't. Tomcat won't let a session created under HTTPS transition to HTTP as > the session ID is effectively the password. If the password needed HTTPS then > the session ID does too. > > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
