Mark, On Tue, Mar 10, 2009 at 8:23 PM, Mark Thomas <ma...@apache.org> wrote: > > Ditch FORM auth, use DIGEST. > I'm afraid I don't see how to combine DIGEST with a Login-form - and that's a customer request.
I know that SecurityFilter is quite a handy tool, however, that doesn't support Tomcat's SSO-functionality yet (?). I guess I can live with an unencrypted SessionID since our sites are not that important as to expect any session-hijacking (btw., does Tomcat check if the SessionID maps to a certain IP?). What is important is performance - therefore I tend to not use SSL except for the LoginForm. Looks like we have to get a few certs then. Rgds Gregor -- just because your paranoid, doesn't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org