Gregor Schneider wrote: > And another one: > > AFAIK, when using Form-based Authentication, the parameters for > j_security_check are send in a readable manner over the wire, thus > prone for an attack. Correct.
> Therefore, it is recommended to use SSL-encription for the Form-Loginpage. Correct. > However, that means that one has to buy one of those quite expensive > SSL-certs. Or self-sign but that has other issues. > Since those pages actually don't need SSL at all except for the You need to protect the session ID as well so you do need SSL for all those pages. > Login-process, is there any way to achieve encryption for the > Login-process without a valid SSL-cert? Ditch FORM auth, use DIGEST. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org