aspose file tools*
The moose likes Security and the fly likes specifying specific URL's to use SSL Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "specifying specific URL Watch "specifying specific URL New topic
Author

specifying specific URL's to use SSL

manish ahuja
Ranch Hand

Joined: Oct 23, 2003
Posts: 312
Hi All

I am using form based authentication. In this I want to only specify the Login Page to use SSL when the user enters his password. Post successful authentication the user should be using the normal http & not https.

I am using weblogic 7 & have enabled https on port 7002. In my application web.xml looks like this

<user-data-constraint>
<description>
Specify how user data is to be transferred
</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

The problem is all the URL's specified in the <url-pattern>
(<url-pattern>/jsp/error/*</url-pattern>
<url-pattern>/jsp/navigation/*</url-pattern>

will run under https now which If possible I want to avoid

Can we do something like where we can do selective https for some links in the site & then use http for others

Regards
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42292
    
  64
First off, why shouldn't the application use HTTPS everywhere? If it is important enough to require a password (which furthermore should not be snooped since you require HTTPS), then isn't the whole thing important enough to run on HTTPS? Have you done load tests to ascertain that the server can't handle an all-HTTPS web app? Or is there some other reason?

If you're still set on using HTTPS just for the login page, then don't declare anything in the web.xml. Just check in the login page that it is accessed over HTTPS (and redirect to its HTTPS URL if it isn't), and then forward to an HTTP URL from there.


Ping & DNS - my free Android networking tools app
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: specifying specific URL's to use SSL