Re: Force Non-SSL

2005-06-22 Thread Duong BaTien
Greetings: As promised, i report back my solutions and hope this may help others. On Mon, 2005-06-06 at 07:42 -0600, Duong BaTien wrote: On Mon, 2005-06-06 at 07:04 -0400, Tim Funk wrote: Almost. (I think) Thanks. I will try the workaround and report to the list for the benefits of

Re: Force Non-SSL

2005-06-06 Thread Tim Funk
Almost. (I think) You can't request any pages under /WEB-INF. Security constraints are only for the incoming URL - not urls obtained by getRequestDispatcher() -Tim Duong BaTien wrote: On Thu, 2005-05-26 at 06:34 -0400, Tim Funk wrote: From a config point of view no. The simple workaround

Re: Force Non-SSL

2005-06-06 Thread Duong BaTien
On Mon, 2005-06-06 at 07:04 -0400, Tim Funk wrote: Almost. (I think) Thanks. I will try the workaround and report to the list for the benefits of others. BaTien DBGROUPS You can't request any pages under /WEB-INF. Security constraints are only for the incoming URL - not urls obtained by

Re: Force Non-SSL

2005-06-04 Thread Duong BaTien
On Thu, 2005-05-26 at 06:34 -0400, Tim Funk wrote: From a config point of view no. The simple workaround - Ditch the web.xml config for requiring SSL - Create a filter which checks the scheme and URL - if the do not match what you desire - you can issue a redirect in the filter to https (or

RE: Force Non-SSL

2005-05-26 Thread Steve Kirk
To: Tomcat Users List Subject: Re: Force Non-SSL Is there no way to do it? SSL creates a lot of overhead for a site that is serving up 100MB image files. --- Tim Funk [EMAIL PROTECTED] wrote: no -Tim August Detlefsen wrote: In my webapp I force clients to use SSL

Re: Force Non-SSL

2005-05-26 Thread Tim Funk
From a config point of view no. The simple workaround - Ditch the web.xml config for requiring SSL - Create a filter which checks the scheme and URL - if the do not match what you desire - you can issue a redirect in the filter to https (or http) as desired -Tim August Detlefsen wrote: Is

Re: Force Non-SSL

2005-05-25 Thread Tim Funk
no -Tim August Detlefsen wrote: In my webapp I force clients to use SSL encryption for logins with a security constraint and transport-guarantee elements like this: security-constraint web-resource-collection web-resource-nameLogin/web-resource-name

Re: Force Non-SSL

2005-05-25 Thread August Detlefsen
Is there no way to do it? SSL creates a lot of overhead for a site that is serving up 100MB image files. --- Tim Funk [EMAIL PROTECTED] wrote: no -Tim August Detlefsen wrote: In my webapp I force clients to use SSL encryption for logins with a security constraint and

Re: Force Non-SSL

2005-05-25 Thread Parsons Technical Services
this, so it is all theory at this point. Doug - Original Message - From: August Detlefsen [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, May 25, 2005 8:43 PM Subject: Re: Force Non-SSL Is there no way to do it? SSL creates a lot of overhead

Re: Force Non-SSL

2005-05-25 Thread Nikola Milutinovic
August Detlefsen wrote: Is there no way to do it? SSL creates a lot of overhead for a site that is serving up 100MB image files. There are ugly or less ugly workarounds, like the one yahoo uses. Login can go against HTTPS, sets up it's version of session and then redirects the user to