Hi Chris, I moved the <user-data-constraint> inside the <web-resource-collection> as the following: <security-constraint> <web-resource-collection> <web-resource-name>Automatic SLL Forwarding</web-resource-name> <url-pattern>/login.html</url-pattern> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </web-resource-collection> </security-constraint>
But http://www.mydomain.com/login.html did not redirect to secure URL. As you mentioned, If I start as http, then redirect to https when login, and keep https after login. Does that mean https is using the http session? Is there any security hole? If a man-in-the-middle knows the session id from http and the same session id is used by https? Thanks for help. Dave Christopher Schultz <[EMAIL PROTECTED]> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dave, Dave wrote: | I tried the method, it worked. | But when I tried to protect login page only, | | | protected pages | /login.jsp | | | restarted tomcat, and went to http://www.mydomain.com | | it was redirected to secure URL. It should stay insecure until going to login page. | | anything I was missing? Is that your entire configuration? If you've told Tomcat that /* should be CONFIDENTIAL, then all traffic will be redirected to HTTPS. Move the CONFIDENTIAL part into the that represents your login page, and leave the rest of the app non-CONFIDENTIAL. Remember that Tomcat will not automatically go from HTTPS to HTTP, so you'll have to make that happen yourself. Also remember that if your session id cookie was created in HTTPS mode, your browser will not send it back to the server when you're in HTTP mode. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerHyAACgkQ9CaO5/Lv0PClgACfRQm66ro0lctDvrEnA0paYC0Y ziIAn35jRaXBkefSfaz6l1cn9fOokmfe =0RZ/ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------- Looking for last minute shopping deals? Find them fast with Yahoo! Search.