I was wondering if there a good Wiki page covering best practices for Login security for web apps? One specific question I have is with regards to a login form on the home page (non-secure) that submits to the login action. Because I cannot specify a scheme with JSF/JBoss seam in the h:form tag, I cannot force it to submit to an https URL. The best I can do is use the pages.xml to require HTTPS, but that results in one non-secure request then a redirect to the secure request. So its pointless in this case. I reviewed a JIRA (http://jira.jboss.com/jira/browse/JBSEAM-741) where this was talked about and it appears that for now the Seam team is holding off supporting a scheme attribute in the link/form tags. It has me thinking there is a security concern with doing this sort of thing (submitting a non-secure form to a secure URL) and that perhaps I should just avoid having the convenient login box on the home page. Any feedback is very much appreciated. Thanks, Mark View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4039550#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...