Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Servlet Interest »

Re: nature of this servlet-interest list (SSL / non-SSL sessions)

Adam Hardy

2004-03-29

Replies:

On 03/29/2004 03:42 PM Milt Epstein wrote:
>>My question is basically, why can I no longer use encrypt the form-based
>>authentication for the container (i.e. SSL / HTTPS) and carry on the
>>session in unencrypted HTTP afterwards?
>>
>>In a nutshell. It seems to be a deliberate feature of the Servlet Spec.
>>
>>I have looked into it alot and had work-arounds in place for a while,
>>but changes in tomcat as new releases come out have also stymied my
>>work-arounds.
>
>
> There have been many discussions on this topic, you should try
> searching for them. A general web search should find things, as well
> as on newsgroups, and also most likely this mailing list and
> absolutely certainly the tomcat-user mailing list (archives are both
> are available).

Milt,
I have searched these archives and tomcat-user's. Either the topic does
not lend itself to obvious keywords and any relevant stuff is buried in
the midst of pages and pages of other info, or the stuff I did find was
just inconclusive and unconvincing.

i.e. I've still got unanswered questions.

I read it was partly down to 'session-hijacking', but my attempt to
discuss it further was ignored, for whatever reason. I even opened a bug
six months ago in tomcat's bugzilla, but it was quickly closed with the
message that it had been discussed before.

I don't relish the idea of cajoling people to go over old ground again,
but I have no real alternative.

If it makes any difference, I am probably just the first of many who
will be asking about these changes from servlet spec 2.3 to 2.4, as
everyday java programmers become aware of the situation when making the
upgrade over the next year or so.

Adam


--
struts 1.1 + tomcat 5.0.16 + java 1.4.2
Linux 2.4.20 Debian

___________________________________________________________________________
To unsubscribe, send email to listserv@(protected)
of the message "signoff SERVLET-INTEREST".

Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
©2008 junlu.com - Jax Systems, LLC, U.S.A.