> Thanks. One follow up question. Since everything in dspace is supposed to be > open and freely accessable, other then the login procedure, is there any > need for the rest of the site to be secured?
As usual, "it depends..." mainly, on how much you are about truly securing the authenticated access to the DSpace site. The answer is "no, the servlets that don't transmit passwords can be left unsecured" if you aren't concerned about real security against active attacks. Some DSpace instances have content that is not all freely available, but the web UI handles this gracefully by turning an authorization failure into a redirect to the login page. So, unauthenticated visitors can browse around with normal HTTP until they hit something protected. However, the login procedure works by handing your browser a cookie. The cookie is not marked secure so it gets transmitted on non-encrypted connections, so it is subject to cookie hijacking (though recent changes to the Authenticate class mititate this somewhat) -- basically, the risk is that an attacker could steal your cookie and get your level of access to DSpace, which is significant if you're an Administrator. Most sites don't consider this enough of a risk to be worth running the entire site through HTTPS, but I'm just mentioning it so you know the reasoning. OBTW, the <security-constraint> method below is an elegant solution. It depends on having the secure="true" attribute on the <Connection> element in your tomcat server.xml, and the <Connection>'s set up to automatically redirect to the HTTPS port, but that's simple to set up, it's well documented in the Tomcat docs. It would be great to add this to the wiki, since it doesn't seem to be there anywhere I can find. If you need it, I've got a live example that I could add. -- Larry > On 1/24/07, Guang Huang <[EMAIL PROTECTED]> wrote: > > > > In dspace application web configure file web.xml > > add something like: > > > > <security-constraint> > > <web-resource-collection> > > <web-resource-name>Pages requiring > > HTTPS</web-resource-name> > > <url-pattern>...</url-pattern> > > <url-pattern>...</url-pattern> > > </web-resource-collection> > > <user-data-constraint> > > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > > </user-data-constraint> > > </security-constraint> > > > > You could check dspace developers document or jsp/server specificatioin > > in detail > > > > Good luck > > John Preston wrote: > > > Can anyone tell me if it is possible to use https for just the login > > > steps and regualr unsecured http to access my dspace site. I need to > > > secure the login username/password phase but once logged in I want to > > > use the regular http so it is as fast as possible. > > > ------------------------------------------------------------------------ > > > > > > > > ------------------------------------------------------------------------- > > > Take Surveys. Earn Cash. Influence the Future of IT > > > Join SourceForge.net's Techsay panel and you'll get the chance to share > > your > > > opinions on IT & business topics through brief surveys - and earn cash > > > > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > DSpace-tech mailing list > > > DSpace-tech@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/dspace-tech > > > > > > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech