Hi!
I am using that for my login pages. The problem is that tomcat doesn't honor
that. So, must I put my whole web-app as CONFIDENTIAL when I only need the
login to be performed in a (relative) safe way.
Thanks in advance Roland Carlsson
----- Original Message ----- From: "Michal Kwiatek" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Friday, November 12, 2004 1:32 PM
Subject: RE: Login over ssl
Accourding to servlet specs, you need to require tranport guarantee CONFIDENTIAL or INTEGRAL (I'm not sure what the difference is, perhaps somebody can clarify this). So try:
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
Hope that helps...
Michał.
-----Original Message----- From: Roland Carlsson [mailto:[EMAIL PROTECTED] Sent: Friday, November 12, 2004 11:14 AM To: TomcatUsers Subject: Login over ssl
Hi!
I got a problem with securing a login-page. I would like the login-form to be secured with ssl to ensure that the users credentials isn't easially readable. But I have no need to put the rest of my page in ssl-mode.
I have posted the <security-constraint/> and <login-config/> below. It seems like if the <security-constraint> named AQMFiles 02 isn't used at all. Atleast all reqeusts that get interupted as the user isn't authenticated is sent to /login.jsp as a non-sll requests and doesn't get redirected to ssl.
Must I put my whole web-app in ssl-mode to make sure that my users credentials is secure?
Regards Roland Carlsson
Ps: I apologize for the posting that got the wrong adress (Gothia), I should learn not to talk in the phone and write mail at the same time. :-)
--------------- part of web.xml----------
<security-constraint> <display-name>AQMFiles 02</display-name> <web-resource-collection> <url-pattern>/login.jsp</url-pattern> <url-pattern>/error.jsp</url-pattern> <url-pattern>*j_security_check*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <security-constraint> <display-name>AQMFiles 01</display-name> <web-resource-collection> <url-pattern>/pages/*</url-pattern> <url-pattern>/env/*</url-pattern> <url-pattern>/index_1.jsp</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
<login-config> <auth-method>FORM</auth-method> <realm-name>AQMFile login</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/error.jsp</form-error-page> </form-login-config> </login-config>
-------------------------------------------
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
