> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Subject: Re: Question about SSL
> 
> 1. <transport-guarantee> doesn't apply (I think) to the login page that
> Tomcat serves, even if you set it.

If the requested resource is covered by the security constraint that includes 
the <transport-guarantee> of CONFIDENTIAL, the login page will be protected.  
The redirect to the SSL port happens before the login.

> That last one can be a real PITA: if you're looking for secure-auth
> /only/, then you'll have to design your pages to ensure that your
> cookies are always in non-secure-mode but that j_security_check does
> get sent over HTTPS.

And, as we keep trying to drum into people, having an encrypted login but 
unencrypted pages serves little purpose, since the now trusted jsessionid is 
visible to anyone who can see the traffic - such as your neighbor on your 
cable-based ISP.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

Reply via email to