I have been using basic authorization with SSL in Tomcat for some time, quite satisfactorily.
However I have found what I feel to be some strange behaviour on the part of Tomcat (I have 4.1.30) in one case.
Here's an example:
I have a folder, let's say http://www.mysite.com/prot/. I put a security-constraint on this folder in web.xml so that it is protected and requires basic authorization. So far so good.
But I have discovered that if you include a document from that protected folder inside a document from an unprotected folder using a <jsp:include>, then basic authorization is no longer requested by the browser for the protected page.
Surely the authorization should be requested in all places and at all times, whereever the request is coming from, even if from an include in an unprotected page?
-----------------------
This leads on to my second question.
I have been trying to solve one small though potentially dangerous problem with Basic Authorization/SSL.
If I want to access a protected area of our site from outside the firewall I write an address similar to the following:
https://mysslsite.com/pagerequired.jsp.
It has happened that I forget to type https:// and type http:// instead.
So if a nasty, mean person is listening in, he can see my password unencrypted, right?
How can I prevent this? The problem is that the login window with basic authorization pops up before you arrive at the page itself.
I thought of FORM authorization, because the .jsp used for the Login form can check the port requested (must be 443) and refuse to request the password if it's wrong. But FORM authorization requires lots of extra programming to give many of the useful extras that BASIC authorization offers included (e.g. remembering your user name and password).
Then I thought of including the protected page in an unprotected page that checks if you are in https before doing the include. But since Tomcat has this strange behaviour I mentioned above, after a couple of days of fiddling with this possibility I've had to give that up too.
Anybody got any ideas?
Thanks for your time, Malcolm Warren
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
