• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Using https: for security

 
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am developing an application where I want the users to have some protection from the Internet and snooping. I want to force all users to use https:// rather than just http:// so that encryption is used. When a user logs in, I would like to redirect them to an https:// session if needed. JSF seems to take a relative .jsp for the <to-view-id> value. I thought about just setting up a .jsp that would issue a jsp-forward, or an http refresh, but that would require me to hard code the full server url, whereas I would like the page to be relative to my server and only need to change the protocol, so that I can move the .ear file to my test server and production server without having to modify the code. How would I implement a redirection to https:// when the user logs in successfully?
 
Ranch Hand
Posts: 362
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The following code



Works well for setting the base path relative to the server and application path. So you could just substitute request.getScheme() with https in some sort of redirect code, probably a forward on detecting http request.

There are also security constraints you can setup on the web.xml file to ensure http allways and have the container check for it rather than each individual jsf.

For example http://ebxmlrr.sourceforge.net/3.0/UsingHTTPS.html

along the lines of "Requiring Access to the Server to be Secure".
[ April 22, 2006: Message edited by: Gerardo Tasistro ]
 
Bill Dornbush
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have a working way to transfer someone to https:

In my program login.jsp, I added a hyperlink "Go to Secure Login". This link is rendered only if the protocol is not secure. I detect this through a method in the backing bean:

public boolean getSecure() {
HttpServletRequest request = (HttpServletRequest)facesContext.getExternalContext().getRequest();
return request.isSecure();
}

The URL of the link is determined in another method in the backing bean:

public String getHttps() {
String httpsPort = Props.getProps().getStringProperty("httpsPort");
HttpServletRequest request = (HttpServletRequest)facesContext.getExternalContext().getRequest();
String newpath = "https://"
+ request.getServerName()
+ httpsPort
+ request.getContextPath()
+ "/index.jsp";
return newpath;
}

The method Props.getProps().getStringProperty("httpsPort") gets the port number with a leading : from my properties file. This allows me to migrate the application to a server where https: is configured to a different port.

index.jsp is the page (not jsf) that is coded in web.xml as the welcome page. It contains: <jsp:forward page="faces/login.jsp"></jsp:forward>

I don't understand why, but if I link to the login.jsp page with the https: protocol, I get an error message "Cannot find FacesContext."
 
What's wrong? Where are you going? Stop! Read this tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic