Mark,

On Tue, Mar 10, 2009 at 8:23 PM, Mark Thomas <ma...@apache.org> wrote:
>
> Ditch FORM auth, use DIGEST.
>
I'm afraid I don't see how to combine DIGEST with a Login-form - and
that's a customer request.

I know that SecurityFilter is quite a handy tool, however, that
doesn't support Tomcat's SSO-functionality yet (?).

I guess I can live with an unencrypted SessionID since our sites are
not that important as to expect any session-hijacking (btw., does
Tomcat check if the SessionID maps to a certain IP?). What is
important is performance - therefore I tend to not use SSL except for
the LoginForm.

Looks like we have to get a few certs then.

Rgds

Gregor
-- 
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to