From ef6d6cd03efa18b207aa9a77bfef8d2aad343f8b Mon Sep 17 00:00:00 2001 From: Ben Alex Date: Sat, 23 Sep 2006 06:20:29 +0000 Subject: [PATCH] SEC-347: Describe requirements for login page when using secure channels. --- doc/docbook/acegi.xml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/doc/docbook/acegi.xml b/doc/docbook/acegi.xml index 36a4151766..ed26e79b6e 100644 --- a/doc/docbook/acegi.xml +++ b/doc/docbook/acegi.xml @@ -1307,6 +1307,15 @@ if (obj instanceof UserDetails) { wired up by default to many Acegi Security beans. Please refer to the JavaDocs for PortResolverImpl for further details. + + You should note that using a secure channel is recommended if + usernames and passwords are to be kept secure during the login + process. If you do decide to use + ChannelProcessingFilter with form-based login, + please ensure that your login page is set to + REQUIRES_SECURE_CHANNEL, and that the + AuthenticationProcessingFilterEntryPoint.forceHttps + property is true.