aspose file tools*
The moose likes Security and the fly likes Using SSL with JSP Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Using SSL with JSP" Watch "Using SSL with JSP" New topic
Author

Using SSL with JSP

Amit Kul
Greenhorn

Joined: Jul 27, 2006
Posts: 3
if I want to use the Secured socket layer Technology in Java server pages
Then I have to configure Tomcat properly then the server (Tomcat) will handle the SSL handshaking and encrypting.

If the client is a browser, then all is taken care of. The browser will handle the client side of the SSL.
there is no change in syntax of JSP & on the client side
If this is wrong then please correct it.
If this is correct then Is this secure thing ? bcoz browser is handling
the client side itself
OK
Thank you very much in advance.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41880
    
  63
I'm not quite sure what you mean by "is this the secure thing". You're right that the browser handles the client part of SSL, and if you have an SSL connection, then the transmission is encrypted, and thus much more secure than raw HTTP.


Ping & DNS - my free Android networking tools app
Amit Kul
Greenhorn

Joined: Jul 27, 2006
Posts: 3
First of all Thank you very much Ulf Dittmer for replying me

"is this the secure thing ?" means really browser does not require any code for SSL & will it works fine ?

my question is that "Is there any change in the JSP syntax or I have
to use some special classes or methods (in my JSP page) for using the SSL Technology ?"

Just configuring tomcat is sufficient ?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41880
    
  63
Yes, the browser handles SSL, there's nothing you need to add to it. Your JSP pages shouldn't need any changes either, besides -obviously- that all absolute URLs now start with HTTPS instead of HTTP.
Amit Kul
Greenhorn

Joined: Jul 27, 2006
Posts: 3
Thank you very much Ulf Dittmer for replying me

But, please Explain with example or piece of code,How to redirected the URL to HTTPS,if an URL starts with HTTP instead of HTTPS.

and also please Explain the communication in between the Tomcat(SSL enabled server) & the browser that means How the handshake takes place,how the data is encrypted,etc..

That's all

Thank you very much once again
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41880
    
  63
Wikipedia: SSL should give you a good start in learning about SSL.

You can use the HttpServletRequest.isSecure method to determine whether a request was made through HTTP or HTTPS. The HttpServletResponse.sendRedirect method can then be used to send the request to the secure URL if necessary.
[ July 30, 2006: Message edited by: Ulf Dittmer ]
Amit Kul
Greenhorn

Joined: Jul 27, 2006
Posts: 2
Thank you Ulf Dittmer

I read that Wikipedia: SSL. It is very nice article thank you for that But,for more security I want to use client side certificate as each client has its unique certificate issued by server.

So how can I request the client certificate.I don't know anything about client side certificate.Only changing the clientAuth in(server.xml file) is sufficient or I have to do something extra.please tell that.

Thank you very much.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41880
    
  63
Amit KK-

You seem to have two accounts, and for the one you're using now the same goes what Henry said above: please adjust your display name to a valid one.

As to your question, it's not server.xml you need to change to require a client certificate, but web.xml. You'll get stronger authentication with that - whether that's stronger overall security depends on your circumstances. The clients will need to set up their browsers with their client certificates, but I asume you already know how to do that.
Amit Kul
Greenhorn

Joined: Jul 27, 2006
Posts: 2
Yes I have changed display name Sorry for that.

Ok. Ulf Dittmer, Will you please tell me that what are the necssary changes
required in web.xml to get a client certificate.

and also tell me that how to set up clients browsers with their client certificates. I don't know anything about client certificate & also tell me
that from which site I should get these client certificate.

Ok.
Thank you very much
[ August 06, 2006: Message edited by: Amit Kul ]
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41880
    
  63
In your web.xml you need this:


The method of importing certificates into a browser varies. In Firefox, go to Options -> Advanced -> Security -> View Certificates -> Your Certificates -> Import

As to how to get certificates, check Verisign and Thawte, which are the best-known certificate providers. I think you can also create them yourself using the Java tools keytool and certtool.
[ August 06, 2006: Message edited by: Ulf Dittmer ]
Marko Debac
Ranch Hand

Joined: Aug 21, 2006
Posts: 121
Hi,

I want little to extend this old topic:


Ulf posted:
I think you can also create them yourself using the Java tools keytool and certtool.


Does we have to create this certificates when we want to implement ws-security also? And how we implement and where certificate and keys?

Marko
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41880
    
  63
Marko,

This thread is about JSP and SSL. Don't hijack it with questions that are unrelated to this. You should start a new thread in the Web Services forum.
Rahul Bhattacharjee
Ranch Hand

Joined: Nov 29, 2005
Posts: 2308
Originally posted by Ulf Dittmer:


As to your question, it's not server.xml you need to change to require a client certificate, but web.xml.


If you want the authentication type to be CLIENT_CERT then certainly you have to change it in the web.xml , but in case you want all your client request to the secure socket should present a certificate then you have to set clientAuth=true in SSL connector tag in server.xml , which you might have uncommented for enabling SSL in Tomcat.But this is mainly used in B2B applications , might not be used heavily in any web based application.


Rahul Bhattacharjee
LinkedIn - Blog
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: Using SSL with JSP