On Thu, 25 Oct 2001, Taavi Tiirik wrote: > Date: Thu, 25 Oct 2001 16:36:35 +0200 > From: Taavi Tiirik <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: switch between http and https. how? > > > I have Tomcat 4 running fine with both http and https protocols. > I would like to use http for serving most of the documents and > only j_security_check (form based login) should be done over > https. How can I configure this? >
There is no way to configure this. Furthermore, it would be unsafe to rely on this for any sort of security. Consider the fact that the session id cookie is still transmitted in clear text, so anyone snooping on the network could easily swipe your session id (and thus impersonate that user for as long as the session remained alive), even though they could not see the password because it was encrypted. > with best wishes, > Taavi > > > Craig
