Date: 03 Dec 2002 10:21:19 -0600
From: Alexander Wallace <tomc...@rwsoft-online.com>
Reply-To: Tomcat Users List <tomc...@jakarta.apache.org>
To: Tomcat Users List <tomc...@jakarta.apache.org>
Subject: Re: Filters don't affect request dispatcher forward
Hey I love that! Thanks, let me try it!
Now, with this solution, I figure i can't fore stuff that doesn't match
the "to be secured" pattern to go over http and not https if it is
requested, right? I still can live with that, but it would sure be
I'm not sure what you're really asking, but ...
If you declare a security constraint with a transport guarantee, any URL
that matches the specified pattern(s) can *only* be accessed via SSL. Any
URL that does not match the pattern can be accessed over *either* SSL or
One additional note -- web applications that allow a user to switch from
SSL back to non-SSL on the same session are broken. What you've just done
is allowed anyone snooping the network to swipe the session id and
impersonate your user (for example, click the "buy" button again using the
credit card number that was entered on a secure page).
You should program your apps that, once a user switches from non-SSL to
SSL, you never again accept a non-SSL request for that same session id.
If the user needs to go back (for example, after checking out of an
ecommerce site you want to buy some more stuff), start a new session first
(and clear the confidential data you might have captured).
To unsubscribe, e-mail: <mailto:tomc...@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomc...@jakarta.apache.org>