-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Snaglefrac,
Snaglefrac wrote: > I want to use j_security check with https on port 8443. I only want to > secure the login pages and not the whole application. Then you need to configure your <security-constraint>s appropriately. > so .. > these pages need to be secured when accessed: > /secure/login.jsp > /secure/loginerr.jsp > > everything else is secured by form based quthentication and uses an ldap > realm. If "everything else" will be secured by form-based auth, then what should secure the above two URLs? Any resource that is protected will be protected using the same authentication type: you can't use BASIC for one set of URLs and FORM for another set of URLs in the same webapp. > <url-pattern>/j_security_check</url-pattern> > <url-pattern>/secure/j_security_check</url-pattern> > <url-pattern>/j_security_check</url-pattern> Note that you can't secure j_security_check: this URL is special and will be handled by the container whether you list it in your <security-constraint>s or not. > The problem is when i hit the application where i have form authentication > connection to LDAP, it uses the /secure/login.jsp page, because j_security > check redirects to this page. You can't change how this works. > but it is not forced at https, because the url pattern doesn't match. So how > can I forced the login.jsp page to be https! I don't want my ldap user > password floating around out there. Have you tried setting your <form-login-page> to use an HTTPs URL? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkklu3EACgkQ9CaO5/Lv0PBh+QCgwvyFvjzDimyIXaQN3FJwLu3C Ch8AoJoUl9+Fpz88zwJ6gg5rzg3sVYcv =s8/t -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]