> From: Simon Funnell [mailto:simon.funn...@propositum.biz] > Subject: Confidential Login
> I have some content that is restricted by role but not over > a secure connection, however, if a user tries to access the > content and is presented with the credentials/authentication > form the form is also not over a secure connection and it > needs to be. Let's think about this. You want the authentication dialog to be encrypted, but not any subsequent traffic that uses the token that results from the authentication. If the subsequent traffic isn't encrypted, anyone with access to the traffic can hijack the session by using the token - you have no security. Is that really what you want? The general rule is that once you start with encryption, you stay with it for anything dependent on the authentication. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
