Re: how to auto redirect to https from http

Thu, 07 Feb 2008 08:02:25 -0800 

Hi Chris,
   
  I moved the <user-data-constraint> inside the <web-resource-collection> as 
the following:
   
       <security-constraint>
                <web-resource-collection>
                        <web-resource-name>Automatic SLL 
Forwarding</web-resource-name>
                        <url-pattern>/login.html</url-pattern>
                        <user-data-constraint>
                           
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
                        </user-data-constraint>
                </web-resource-collection>
        </security-constraint>

  But http://www.mydomain.com/login.html  did not redirect to secure URL.
   
  As you mentioned, If I start as http, then redirect to https when login,  and 
keep https after login. Does that mean https is using the http session? Is 
there any security hole? If a man-in-the-middle knows the session id from http 
and the same session id is used by https?
   
  Thanks for help.
  Dave

Christopher Schultz <[EMAIL PROTECTED]> wrote:
  -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave,

Dave wrote:
| I tried the method, it worked.
| But when I tried to protect login page only,
|
| 
| protected
pages
| /login.jsp
| 
|
| restarted tomcat, and went to http://www.mydomain.com
|
| it was redirected to secure URL. It should stay insecure until going
to login page.
|
| anything I was missing?

Is that your entire configuration? If you've
told Tomcat that /* should be CONFIDENTIAL, then all traffic will be
redirected to HTTPS.

Move the CONFIDENTIAL part into the that
represents your login page, and leave the rest of the app non-CONFIDENTIAL.

Remember that Tomcat will not automatically go from HTTPS to HTTP, so
you'll have to make that happen yourself. Also remember that if your
session id cookie was created in HTTPS mode, your browser will not send
it back to the server when you're in HTTP mode.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkerHyAACgkQ9CaO5/Lv0PClgACfRQm66ro0lctDvrEnA0paYC0Y
ziIAn35jRaXBkefSfaz6l1cn9fOokmfe
=0RZ/
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



       
---------------------------------
Looking for last minute shopping deals?  Find them fast with Yahoo! Search.

Reply via email to