Dear Chris, Thank you very much. What we really want is that the login username/password communicates encrypted. Everything else can be in clear-text. (We also need the log-out, so I cannot use the digest authentification.)
> Showing a non-secure login page isn't a problem, is it? You just need to > make sure that the login form's action is HTTPS and you will get a > secure login. But if this login page is reached by http, will the login username/password be sent out in clear-texted? Or should I specified the action "j_security_check" as https? Then after the authentication, change back to http. (By changing the secured cookie into unsecured? Where? In every pages as tomcat has redirect the link away from login?) Thank you very much? Sincerely Zhu, Guojun --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
