On Thu, Apr 08, 2004 at 06:36:16PM +0200, Malcolm Warren wrote: : Surely the authorization should be requested in all places and at all : times, whereever the request is coming from, even if from an include in an : unprotected page?
Clearly not, if it's going through. ;) My understanding of the spec is that the security constraints are for the originally-requested URI only. It's up to the developers to make sure content doesn't get <include>'d or forward()'d to the wrong place. : It has happened that I forget to type https:// and type http:// instead. : So if a nasty, mean person is listening in, he can see my password : unencrypted, right? Yes. : How can I prevent this? Use all SSL, all the time. -and I'm not being facetious there. If the data is that sensitive, why not? Other than that, I believe there are auth restraints in web.xml that require SSL auth. I'd be more specific, but I'm deep into a C++ project right today so my servlet spec knowledge is a little hazy. btw, what's wrong with form auth? I don't recall it requiring that much extra programming. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
