I would bet they are not using security constraints as defined in web.xml. I
would bet they are using a 3rd party solution implemented as a Servlet Filter
or something application server specific to handle this login issue. Notice
they do not use JSESSIONID but something called BV_SessionID as parameter in
the query string. A quick google search seems to show they use BroadVision.
-Tim
Dean Searle wrote:
Tim,
I'm not an expert with tomcat but how does a site like samsclub.com do
it then? I use their site a lot and it runs jsp's and most of the stuff
is unsecure (http) but when I get ready to do the actual purchase and
log in it is a secure site (https). Is there something that they are
doing, possibly masquerading the url or something?
Again not an expert, but something I have been interested in for some
time myself.
Dean 8-)
-----Original Message-----
From: Tim Funk [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 29, 2005 10:34 AM
To: Tomcat Users List
Subject: Re: web.xml question
Security constraints are only imposed on the incoming URL.
Long story short - you'll need to place the entire webapp in SSL. There
is no clean way to use declarative statements to force the login to be
SSL and the rest of the webapp be nonssl.
-Tim
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
