It's not Struts that is ignoring your security constraints ... it's Tomcat. Which makes sense, because you are using container-managed security :-). That is because using SSL on the login pages is not supported out of the box by Tomcat. You might want to investigate projects like SSLExt or SecurityFilter for other approaches.
My personal belief is that any such solution (log in under SSL then switch back) gives you very little extra securiity -- or, to be more blunt, a false sense of security. Yes, the password will then be sent encrypted ... but if you switch back to non-SSL, your session id is going to be transmitted in cleartext anyway ... that's all anyone needs to spoof your logged-in user unless you take a bunch of extra measures to prevent it (some of which might not actually work). Craig On Fri, 12 Nov 2004 10:26:02 +0100, Roland Carlsson <[EMAIL PROTECTED]> wrote: > Hi! > > I have a problem with my login.pages. They are supposed to only be reachable > through ssl. But it seems like struts is ignoring the config in web.xml > about having the pages secure > (<transport-guarantee>CONFIDENTIAL</transport-guarantee>). (The full > security-constraint is posted in the end) > > Right now I'm using the tomcat built in security that filters out the not > authenticated users and redirect them to the login-page. Is it possible to > solve this in struts or do I have to find other ways, eg put the whole > application as CONFIDENTIAL? > > Thanks in advance > Roland Carlsson > > -----security constraint from web.xml----------- > > <security-constraint> > <display-name>AQMFiles 02</display-name> > <web-resource-collection> > <url-pattern>/login.jsp</url-pattern> > <url-pattern>/error.jsp</url-pattern> > <url-pattern>j_security_check</url-pattern> > </web-resource-collection> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > <security-constraint> > <display-name>AQMFiles 01</display-name> > <web-resource-collection> > <url-pattern>/pages/*</url-pattern> > <url-pattern>/env/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>*</role-name> > </auth-constraint> > <user-data-constraint> > <transport-guarantee>NONE</transport-guarantee> > </user-data-constraint> > </security-constraint> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
