It doesn't work that way. If you have an insecure page, but you send
the submission over https, then all transmission out is secured. So
the question is one of threat modelling.
If your "attack vector" is network sniffing, then sending date from an
http-served page over https back to the server (such as merely
authentication tokens) is fine. If, however, your attack vector is
someone looking on the local machine, then you need more protections,
and some browsers will handle https pages differently in a way that
makes it harder to do this sort of forensic attack.
So it is a valid use-case, what he's suggesting, though it might be a
bit architecturally difficult given how J2EE works. It can be done,
but it's annoying. Personally, I'd recommend he make the page secure
as you suggest. Just wanted to put in a word that it's not, strictly
speaking, an insecure practice in all situations.
Christian.
On 18-Apr-08, at 20:06 , Howard Lewis Ship wrote:
Currently, it is all or nothing, the entire page is secure or none of
it is. If you can send secure data via a non-secure channel (HTTP,
not HTTPS) is it really secure, just because the server rejects the
request?
On Thu, Apr 17, 2008 at 4:13 PM, Filip S. Adamsen <[EMAIL PROTECTED]>
wrote:
Hi,
I have a login form on most pages in my application. I would like
this form
to be secure. As far as I can see, though, this isn't possible
because form
actions will only be secure if the form is contained in a secure
page.
Would it be possible to add a secure parameter or some such to Form
that
would take care of this?
-Filip
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Howard M. Lewis Ship
Creator Apache Tapestry and Apache HiveMind
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
