Re: Force Non-SSL

Wed, 25 May 2005 20:12:44 -0700

Since there is no way to maintain the session without hacking Tomcat, as Tim said no. 

But what you could try is a single use password.
User hits the SSL encrypted login page.
User authenticates with normal username and password.
Random string password is created and stored in database and put in query string. User then is redirected to the unencrypted jsp login page that pulls the password from the request query string and inserts it into the form. 
The page does a submit on load. (JavaScript onload in the body tag)
Once the user is logged in the password would need deleted from the database and replaced with normal password. 

So the user logs in with the normal password.
It is the swapped for the single use password.

Once logged in with the single use password it is replaced with the normal 
password.


Now the question is how bad did you want this?

And no I have not done this, so it is all theory at this point.

Doug



----- Original Message ----- 
From: "August Detlefsen" <[EMAIL PROTECTED]>

To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Sent: Wednesday, May 25, 2005 8:43 PM
Subject: Re: Force Non-SSL



Is there no way to do it? SSL creates a lot of overhead for a site that
is serving up 100MB image files.




--- Tim Funk <[EMAIL PROTECTED]> wrote:

no

-Tim

August Detlefsen wrote:
> In my webapp I force clients to use SSL encryption for logins with
a
> security constraint and transport-guarantee elements like this:
>
>     <security-constraint>
>       <web-resource-collection>
>         <web-resource-name>Login</web-resource-name>
>         <url-pattern>/login/*</url-pattern>
>       </web-resource-collection>
>
>       <user-data-constraint>
>         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>       </user-data-constraint>
>     </security-constraint>
>
> However, once a user hits the login page, every subsequent page
also
> uses https. Is there a way to force them back to regular http once
they
> leave the login section?


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]







---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to