>I would say that you are partially right. It may be valid to protect passwords >in a https session and run the rest of the app (for performance reasons) in http. >This is BTW how Microsoft's Passport is used in Hotmail used by 100 millions of >users so this (bad habit) is definitely not that unusual. > >Anyway, I don't think that Tomcat should elminate this possibility. >Add warnings to the "deconfiguration switch" and call it: >SuboptimalSecurity="true"|"false" :-)
As you may have guessed, I am from the "Linux either yes or no" corner, as opposed to "Microsoft, and it works most of the time". Double euphemism points for the configuration directive though. What about "pseudo-safe non-standard SSL indifference?" :) Carsten -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
