> From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Subject: Re: Question about SSL > > 1. <transport-guarantee> doesn't apply (I think) to the login page that > Tomcat serves, even if you set it.
If the requested resource is covered by the security constraint that includes the <transport-guarantee> of CONFIDENTIAL, the login page will be protected. The redirect to the SSL port happens before the login. > That last one can be a real PITA: if you're looking for secure-auth > /only/, then you'll have to design your pages to ensure that your > cookies are always in non-secure-mode but that j_security_check does > get sent over HTTPS. And, as we keep trying to drum into people, having an encrypted login but unencrypted pages serves little purpose, since the now trusted jsessionid is visible to anyone who can see the traffic - such as your neighbor on your cable-based ISP. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.