Christopher Schultz wrote:
Did you change Tomcat code, or your own code?
Our own code. We have an explicit login servlet that handles checking the login/password against values stored in our Oracle database.
Okay, so it sounds like you are using your own. Is there any particular reason you are not using the built-in container-based security mechanism?
I don't know. I didn't design it. Was that container based security available in Tomcat 3.2.4?
Those performance concerns are certainly valid. My experience has shown that most all-HTTPS sites have the SSL handshake as the most expensive part of the transaction -- sometimes even including (localhost, non-encrypted) database activity. There are ways to speed it up, but they are expensive. It's cheaper to buy more boxes ;)
Which we're doing. One of the nice things about doing this new Tomcat is that I'm doing it on a new box with a newer version of Linux, more CPU's (dual quad-cores), more RAM etc. Eventually, I want to get into Tomcat clustering, for load balancing, fault tolerance and fail over.
Just remember that sending JSESSIONID cookies in the clear means that sessions can be hijacked.
I know.
I totally understand. Just try to move to a more secure stance over time. It's the best you can do.
Agreed. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
