Re: j_secuity check and https
I have an tomcat application. I want to use LDAP authentication. I have this working not problem. When a user hits the site they are asked to login and they use the j_security method to do so. No problem. Now, when someone logs in they are using an unsecured login screen and there passwords are sent unencrypted. The solution! HTTPS, no sweat, i have this working to. The only problem I have is having the https and LDAP security in one application. Additionally i do not want to have every page locked by https, only the login screen that get called by the security constraint. EX directory structure: Https Secured pages and directories. /security/login.jsp /security/loginerr.jsp LDAP REalm Secured diretories /gigatronic/* /gigatronic/index.jsp so when a user hits /gigatronic/index.jsp they are asked top login because of the LDAP real copnfig. The pages used for the login I need in HTTPS. After a secure login it returns back to a regular http for the /gigatronic/index.jsp application. SO how can I use HTTPS for only the j_secutity login portion I specified in web.xml and enforce LDAP real for the rest of my app without have the whole app HTTPS. I tried specifying the HTTPS for my login but the app would not start. ex: form-login-config form-login-pagehttps://www.blah.com/secure/login.jsp/form-login-page form-error-pagehttps://www.blah.com/secure/loginerr.jsp/form-error-page /form-login-config This did not work. Cheers -- View this message in context: http://www.nabble.com/j_secuity-check-and-https-tp20603453p20686814.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
j_secuity check and https
Hi All, I want to use j_security check with https on port 8443. I only want to secure the login pages and not the whole application. so .. these pages need to be secured when accessed: /secure/login.jsp /secure/loginerr.jsp everything else is secured by form based quthentication and uses an ldap realm. so.. i have set up in my web xml security-constraint web-resource-collection web-resource-name Security/web-resource-name description/description url-pattern/*/url-pattern http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint description/description role-nameperson/role-name /auth-constraint /security-constraint security-role descriptionAll users who can login should be able to use this application/description role-nameperson/role-name /security-role login-config auth-methodFORM/auth-method form-login-config form-login-page/secure/login.jsp/form-login-page form-error-page/secure/loginerr.jsp/form-error-page /form-login-config /login-config security-constraint web-resource-collection web-resource-name Security/web-resource-name description/description url-pattern/secure/*/url-pattern url-pattern/j_security_check/url-pattern url-pattern/secure/j_security_check/url-pattern url-pattern/j_security_check/url-pattern http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint The problem is when i hit the application where i have form authentication connection to LDAP, it uses the /secure/login.jsp page, because j_security check redirects to this page. but it is not forced at https, because the url pattern doesn't match. So how can I forced the login.jsp page to be https! I don't want my ldap user password floating around out there. -- View this message in context: http://www.nabble.com/j_secuity-check-and-https-tp20603453p20603453.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
