This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
I have a web app deployed in Tomcat. I would like to declaratively secure the application such that all pages are inaccessible unless the user successfully authenticates. This is easy enough. I would also like to use HTTP form authentication over SSL - this is also easy enough. However, what I would like to do (declaratively) is to use SSL only on the login page. If I do something like this in web.xml:
This means the user cannot access any page without authenticating, but it also means all pages are being served over SSL, which is not necessary for my application. However, I do want to protect the communication of the user's credentials with SSL, hence I want to be able to specify SSL for the login page. Is this possible declaratively, and if so, how?
Michael [ March 02, 2005: Message edited by: Michael Fitzmaurice ]
"One good thing about music - when it hits, you feel no pain" <P>Bob Marley
This is as opposed to just putting "/login.html" in web.xml.
Rich Raposa<br /><a href="http://www.javalicense.com" target="_blank" rel="nofollow">http://www.javalicense.com</a><br />Buy Java courseware -> get a free XBox!
Joined: Aug 22, 2001
Thanks for your response - I never thought to try that. Unfortunately, it doesn't seem to work; any path you put in the <form-login-page> element must start with a '/', so absolute URLs are not possible.