My question is basically, why can I no longer use encrypt the form-based authentication for the container (i.e. SSL / HTTPS) and carry on the session in unencrypted HTTP afterwards?
In a nutshell. It seems to be a deliberate feature of the Servlet Spec.
I have looked into it alot and had work-arounds in place for a while, but changes in tomcat as new releases come out have also stymied my work-arounds.
There have been many discussions on this topic, you should try searching for them. A general web search should find things, as well as on newsgroups, and also most likely this mailing list and absolutely certainly the tomcat-user mailing list (archives are both are available).
Milt, I have searched these archives and tomcat-user's. Either the topic does not lend itself to obvious keywords and any relevant stuff is buried in the midst of pages and pages of other info, or the stuff I did find was just inconclusive and unconvincing.
i.e. I've still got unanswered questions.
I read it was partly down to 'session-hijacking', but my attempt to discuss it further was ignored, for whatever reason. I even opened a bug six months ago in tomcat's bugzilla, but it was quickly closed with the message that it had been discussed before.
I don't relish the idea of cajoling people to go over old ground again, but I have no real alternative.
If it makes any difference, I am probably just the first of many who will be asking about these changes from servlet spec 2.3 to 2.4, as everyday java programmers become aware of the situation when making the upgrade over the next year or so.
Adam
-- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian
___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
