File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes specifying specific URL's to use SSL Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "specifying specific URL Watch "specifying specific URL New topic

specifying specific URL's to use SSL

manish ahuja
Ranch Hand

Joined: Oct 23, 2003
Posts: 312
Hi All

I am using form based authentication. In this I want to only specify the Login Page to use SSL when the user enters his password. Post successful authentication the user should be using the normal http & not https.

I am using weblogic 7 & have enabled https on port 7002. In my application web.xml looks like this

Specify how user data is to be transferred

The problem is all the URL's specified in the <url-pattern>

will run under https now which If possible I want to avoid

Can we do something like where we can do selective https for some links in the site & then use http for others

Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
First off, why shouldn't the application use HTTPS everywhere? If it is important enough to require a password (which furthermore should not be snooped since you require HTTPS), then isn't the whole thing important enough to run on HTTPS? Have you done load tests to ascertain that the server can't handle an all-HTTPS web app? Or is there some other reason?

If you're still set on using HTTPS just for the login page, then don't declare anything in the web.xml. Just check in the login page that it is accessed over HTTPS (and redirect to its HTTPS URL if it isn't), and then forward to an HTTP URL from there.
I agree. Here's the link:
subject: specifying specific URL's to use SSL
It's not a secret anymore!