Thank you both for the feeback. Much appreciated. In my case, I am enabling SSL for a webservice that issues tokens when users connect to a secure GIS web service over http from a web client. The end user loads a page that contains a JavaScript URL with a supplied token to a secure GIS web service. End users consuming the web service via a webpage are not required to "log in". I use the Token service from the local server behind our firewall to generate the token that is embeded in the JavaScript webapp that the WWW users see. It can be restricted via the HTTP Referer or an IP address.
However, end users (within our local network) who connect to my secured web service using a desktop client are required to supply a http URL to the web service with a username and password in a dialogue. The desktop client makes the request to the Token service but requires that service to be running in SSL. For anyone interested: http://webhelp.esri.com/arcgisserver/9.3.1/java/token_service.htm "Secure Connection (HTTPS/SSL) required for Token Service" My sysadmin suggested we disable IIS and let Tomcat handle the SSL certificates, since it seems easier to implement. -----Original Message----- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Tuesday, February 23, 2010 3:19 PM To: Tomcat Users List Subject: RE: Question about SSL > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Subject: Re: Question about SSL > > 1. <transport-guarantee> doesn't apply (I think) to the login page > that Tomcat serves, even if you set it. If the requested resource is covered by the security constraint that includes the <transport-guarantee> of CONFIDENTIAL, the login page will be protected. The redirect to the SSL port happens before the login. > That last one can be a real PITA: if you're looking for secure-auth > /only/, then you'll have to design your pages to ensure that your > cookies are always in non-secure-mode but that j_security_check does > get sent over HTTPS. And, as we keep trying to drum into people, having an encrypted login but unencrypted pages serves little purpose, since the now trusted jsessionid is visible to anyone who can see the traffic - such as your neighbor on your cable-based ISP. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
