-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chuck,

On 2/23/2010 5:18 PM, Caldarale, Charles R wrote:
>> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
>> Subject: Re: Question about SSL
>>
>> 1. <transport-guarantee> doesn't apply (I think) to the login page that
>> Tomcat serves, even if you set it.
> 
> If the requested resource is covered by the security constraint that
> includes the <transport-guarantee> of CONFIDENTIAL, the login page will
> be protected. The redirect to the SSL port happens before the login.

Good to know. I'd have to check the behavior of:

1. Request protected resource, non-CONFIDENTIAL
2. Tomcat responds with login page, login page is configured as CONFIDENTIAL

In this case, is the user redirected to the login page using SSL? Is the
(potentially newly-created) JSESSIONID cookie set to secure or not? I'm
not currently using Tomcat-based auth, and I'm too lazy to test right
now: do you know off the top of your head?

>> That last one can be a real PITA: if you're looking for secure-auth
>> /only/, then you'll have to design your pages to ensure that your
>> cookies are always in non-secure-mode but that j_security_check does
>> get sent over HTTPS.
> 
> And, as we keep trying to drum into people, having an encrypted login
> but unencrypted pages serves little purpose, since the now trusted 
> jsessionid is visible to anyone who can see the traffic - such as
> your neighbor on your cable-based ISP.

Actually, I disagree with your conclusion, here. If you have a trivial
and/or not-particularly-sensitive webapp that requires a login, using
SSL for the credentialing process isn't a bad idea: people tend to use
the same password all over the place. If someone can sniff your
JSESSIONID, yes, they can steal your session and maybe steal all your
favorite kitten memorabilia. On the other hand, if they sniff your
username and password, they might be able to get into your online
banking system.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkuFRxIACgkQ9CaO5/Lv0PDVEACfSb93sNr7bGfSctNzW2quru4d
YbcAoJMr5aJuGJTGFZyZ0hlc/pa2xBxR
=vXVl
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to