On Fri, Aug 1, 2014 at 4:34 PM, Caldarale, Charles R < chuck.caldar...@unisys.com> wrote:
> > From: John Smith [mailto:tomcat.ran...@gmail.com] > > Subject: Restricting SSL access within webapp > > > What's the correct way to selectively restrict https to only one area of > a webapp? > > Why would you want to do that? Other than a few extra server CPU cycles, > what's the harm in allowing SSL anywhere at the client's discretion? > > - Chuck > >From the docs: Also, while the SSL protocol was designed to be as efficient as securely possible, encryption/decryption is a computationally expensive process from a performance standpoint. It is not strictly necessary to run an entire web application over SSL, and indeed a developer can pick and choose which pages require a secure connection and which do not. For a reasonably busy site, it is customary to only run certain pages under SSL, namely those pages where sensitive information could possibly be exchanged. Unfortunately how to do this isn't explained. I might use a filter. Our site handles 500,000 visitors a day on two TC instances. Believe me, I need to consider performance costs.