I've gone through your same questions lately, and still learnning, but here is what i've learned from the list and other places.
*Once you start using https, you should NOT switch back to http, doing so will allow whomever to sniff the session id and put in risk whatever you thought you secured with https. So, if during a session, a user goes to https, you should not switch back to http just becouse the next page does not need to be secured, at this point it is not the page, but the session, that needs to be secure. *There are noumerous ways to know if you are running https and also to switch to https if you were not. I use a filter to look at what port and protocol is being requested, and switch to https if necesary. The method used varies if you use apache + tomcat or tomcat stand alone. This becouse when using apache, apache talks to tomcat always in http, it takes charge of all comunication being secure with the client, but it tell's you the user requested a secure session by appending the secure port number to the url requested. If tomcat is being used stand alone, you can check what protoclo was requested and other stuff using httpRequest's getScheme() getProtocol() getServerPort() and stuff like that. If a servlet or jsp needs to know if secure session was requested, you can use the isSecure() method of the request. There is also a way to force tomcat to ensure secure scheme is being used, byt adding something like the following to your web.xml <security-constraint> <web-resource-collection> <web-resource-name>SSL-Only Portion Of This Webapp</web-resource-name> <url-pattern>/secure/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> And you can also make apache not serve anything but whatever uri prefix you specify so it won't serve something if it begins with /secure, which you can use as the prefix for any jsp or servlet you want to make sure run only in a secure way. I hope all this helps! On Tuesday 17 December 2002 14:43, Cook, Christopher H (IndSys, GE Interlogix) wrote: > The documentation supplied for tomcat that pertains to the configuration of > ssl states - "indeed a developer can pick and choose which pages require a > secure connection and which do not. For a reasonably busy site, it is > customary to only run certain pages under SSL, namely those pages where > sensitive information could possibly be exchanged. ... Any pages which > absolutely require a secure connection should check the protocol type > associated with the page request and take the appropriate action of https > is not specified." > > I have SSL set up in my application currently, so that any page I request > can either use https or http. How do restrict access to some pages using > http, while allowing others to use it? Basically how do I implement the > scenario's described in the above passage? Or where is there documentation > on this? > > Thanks, > > Chris > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> For additional > commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>