-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chuck,
On 2/23/2010 5:18 PM, Caldarale, Charles R wrote: >> From: Christopher Schultz [mailto:ch...@christopherschultz.net] >> Subject: Re: Question about SSL >> >> 1. <transport-guarantee> doesn't apply (I think) to the login page that >> Tomcat serves, even if you set it. > > If the requested resource is covered by the security constraint that > includes the <transport-guarantee> of CONFIDENTIAL, the login page will > be protected. The redirect to the SSL port happens before the login. Good to know. I'd have to check the behavior of: 1. Request protected resource, non-CONFIDENTIAL 2. Tomcat responds with login page, login page is configured as CONFIDENTIAL In this case, is the user redirected to the login page using SSL? Is the (potentially newly-created) JSESSIONID cookie set to secure or not? I'm not currently using Tomcat-based auth, and I'm too lazy to test right now: do you know off the top of your head? >> That last one can be a real PITA: if you're looking for secure-auth >> /only/, then you'll have to design your pages to ensure that your >> cookies are always in non-secure-mode but that j_security_check does >> get sent over HTTPS. > > And, as we keep trying to drum into people, having an encrypted login > but unencrypted pages serves little purpose, since the now trusted > jsessionid is visible to anyone who can see the traffic - such as > your neighbor on your cable-based ISP. Actually, I disagree with your conclusion, here. If you have a trivial and/or not-particularly-sensitive webapp that requires a login, using SSL for the credentialing process isn't a bad idea: people tend to use the same password all over the place. If someone can sniff your JSESSIONID, yes, they can steal your session and maybe steal all your favorite kitten memorabilia. On the other hand, if they sniff your username and password, they might be able to get into your online banking system. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuFRxIACgkQ9CaO5/Lv0PDVEACfSb93sNr7bGfSctNzW2quru4d YbcAoJMr5aJuGJTGFZyZ0hlc/pa2xBxR =vXVl -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
