From: Tom B. <tbo...@gm...> - 2007-08-29 21:00:06
|
A quick look through the code for instances of 'http://localhost:8080/' uncovered several (seven for this specific search). So, yes, this leaves the possibility for unencrypted communication. A typical way of testing this is to configure an apache/tomcat setup where apache only forwards https requests to the tomcat server. This should expose any traffic that isn't being sent via https (the links will break, essentially). -Tom On 8/29/07, George Conard <gc...@gr...> wrote: > > adding developer listserv to this as at least part of the question is > code-related > > i'll let others comment on the substance > > ------------------------------ > *From:* mif...@li... [mailto: > mif...@li...] *On Behalf Of *Andrew > White > *Sent:* Wednesday, August 29, 2007 12:40 PM > *To:* Mifos functional discussions > *Subject:* [Mifos-functional] http vs https for access to Mifos > > Hi all, > > Here in Honduras we are hoping to force all the traffic to our Mifos > implementation through an SSL (https) session so that usernames and > passwords, as well as financial data, to not cross the Internet in > cleartext. > > While forcing a normal web session through https via http can be easily > accomplished via configuration settings in Tomcat+JBoss, I am concerned that > some of the html that is output to the client's browser (e.g . via > javascript) will output http: links. A quick glance through some of the > code seems to show this concern is indeed valid ... I see references to http > methods but am not sure if http links are output to the client browser. > > Does anyone know if this concern is indeed justified? Does anyone else > have the concern that there is no encryption supported for Mifos sessions? > > -Andrew > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Mifos-functional mailing list > Mif...@li... > https://lists.sourceforge.net/lists/listinfo/mifos-functional > > |