wood burning stoves*
The moose likes JSF and the fly likes Using https: for security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSF
Bookmark "Using https: for security" Watch "Using https: for security" New topic
Author

Using https: for security

Bill Dornbush
Greenhorn

Joined: Jul 26, 2003
Posts: 10
I am developing an application where I want the users to have some protection from the Internet and snooping. I want to force all users to use https:// rather than just http:// so that encryption is used. When a user logs in, I would like to redirect them to an https:// session if needed. JSF seems to take a relative .jsp for the <to-view-id> value. I thought about just setting up a .jsp that would issue a jsp-forward, or an http refresh, but that would require me to hard code the full server url, whereas I would like the page to be relative to my server and only need to change the protocol, so that I can move the .ear file to my test server and production server without having to modify the code. How would I implement a redirection to https:// when the user logs in successfully?
Gerardo Tasistro
Ranch Hand

Joined: Feb 08, 2005
Posts: 362
The following code



Works well for setting the base path relative to the server and application path. So you could just substitute request.getScheme() with https in some sort of redirect code, probably a forward on detecting http request.

There are also security constraints you can setup on the web.xml file to ensure http allways and have the container check for it rather than each individual jsf.

For example http://ebxmlrr.sourceforge.net/3.0/UsingHTTPS.html

along the lines of "Requiring Access to the Server to be Secure".
[ April 22, 2006: Message edited by: Gerardo Tasistro ]
Bill Dornbush
Greenhorn

Joined: Jul 26, 2003
Posts: 10
I have a working way to transfer someone to https:

In my program login.jsp, I added a hyperlink "Go to Secure Login". This link is rendered only if the protocol is not secure. I detect this through a method in the backing bean:

public boolean getSecure() {
HttpServletRequest request = (HttpServletRequest)facesContext.getExternalContext().getRequest();
return request.isSecure();
}

The URL of the link is determined in another method in the backing bean:

public String getHttps() {
String httpsPort = Props.getProps().getStringProperty("httpsPort");
HttpServletRequest request = (HttpServletRequest)facesContext.getExternalContext().getRequest();
String newpath = "https://"
+ request.getServerName()
+ httpsPort
+ request.getContextPath()
+ "/index.jsp";
return newpath;
}

The method Props.getProps().getStringProperty("httpsPort") gets the port number with a leading : from my properties file. This allows me to migrate the application to a server where https: is configured to a different port.

index.jsp is the page (not jsf) that is coded in web.xml as the welcome page. It contains: <jsp:forward page="faces/login.jsp"></jsp:forward>

I don't understand why, but if I link to the login.jsp page with the https: protocol, I get an error message "Cannot find FacesContext."
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Using https: for security