-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Guojun,
On 5/11/2009 5:49 PM, Guojun Zhu wrote: > Dear Chris, > > Thank you very much. What we really want is that the login > username/password communicates encrypted. Everything else can be in > clear-text. (We also need the log-out, so I cannot use the digest > authentification.) > > >> Showing a non-secure login page isn't a problem, is it? You just need to >> make sure that the login form's action is HTTPS and you will get a >> secure login. > > But if this login page is reached by http, will the login > username/password be sent out in clear-texted? The scheme used to access the login page is not relevant to the safety of your credentials. Only the scheme used to /submit/ those credentials from your login form is relevant. > Or should I specified the action "j_security_check" as https? Definitely. > Then after the authentication, > change back to http. Correct. > (By changing the secured cookie into unsecured? > Where? In every pages as tomcat has redirect the link away from > login?) No, all my suggestions have been to create a non-secure session id cookie /before/ authentication occurs. Then you don't have to worry about it, later. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoIqKIACgkQ9CaO5/Lv0PAifgCdGOhDbM2bEmMyoZUGCKrwSQx5 Sg0AoJCaYuusBHIS98n8vKRUtalnjQkD =OlR2 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
