I hope this is the right list regarding my issue - it's a theoretical question and I was redirected from the [EMAIL PROTECTED] mailing list to the 'servlet spec team'. After mailing Sun a couple of times I was directed here. From the archives though this list looks to be very low volume. If I'm in the wrong place, I'd appreciate it if someone would say.
Here is my issue.
Using tomcat 4 I was able to protect my app with non-SSL security-constraints while using SSL form-based authentication (protected through constraints in the deployment descriptor on the login form) so that the passwords were not sent in clear text.
This has been a specification of the last 3 projects I have worked on.
In tomcat 5, due to its compliance with the servlet spec 2.4, this is impossible without coding a work-around.
It seems people decided that due to the danger of session-hijacking, if it was worth encrypting the login, it was worth encrypting the whole session traffic.
I disagreed and developed a work-around to allow me to carry on using the container-based security features, due to various reasons:
- the charges that the extra hardware brings when doing all logged-in sessions in SSL
- the perception of HTTPS sessions amongst the public
- my belief that sending clear-text passwords over the net is a far graver problem than session-hijacking
- the ease of implementation of work-arounds for me (& presumably in tomcat)
The work-arounds took me a few days back then, and then this week something else cropped up which caused me to revisit the work-around code and spend 2 days adding to it (and documenting it - it's pretty arcane).
It occurred to me that this will always happen. The work-around is vulnerable to any changes in the servlet spec of course, but also in tomcat and in struts.
___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
